Welcome to our KuppingerCole Webinar, Re-Imagining Identity Management for the Digital Era. This webinar is supported by Arcon. The speakers today are Gautam Singh Deo, who is Director of Strategic Business Engagements at Arcon, and me, Martin Kuppinger. I'm Principal Analyst at KuppingerCole Analysts.
As usual, and before we dive into some of the content of today's webinar, a quick round of housekeeping. You are muted centrally, so you don't need to care about anything regarding your microphone. We will run two polls during the webinar, one more towards the beginning, one more towards the end, and we will do a Q&A session at the end of the webinar.
However, you can enter questions at any time throughout the webinar, and I also strongly recommend that you do so, because given that today we will have more conversation between Gautam and me, then we can, whenever appropriate, pick up your questions and directly respond to them. So don't hesitate to enter your questions during this webinar. We are doing a recording of the webinar, so the slides are of lesser value, because they're just providing a bit of a structure, as I've said, and that brings us directly to the agenda.
This is really today more a discussion style webinar, where Gautam Singdeal and me, Martin Kuppinger, will look at the subjects and what potentially must change, is changing, will need to change in identity management for digital age or digital era.
In the second part, and as I've already mentioned, we do the Q&A, and with that, I want to directly shift to the first poll, and that poll is, so when we look at identity management, the question is, is this something where you have really a sort of a holistic, comprehensive concept, an IAM blueprint that covers all major areas, something like the identity fabric that the concept we defined quite a while ago. So yes or no, I'm looking forward to your responses.
The more participating in these polls, the more interesting it is, and if ever time is left, we may pick up the results and discuss them in the Q&A by the end of the webinar. So please respond, and then in 10 seconds or so, we'll close the poll and start our webinar, or the main part of our webinar. So thank you.
Welcome, Gautam. A pleasure to have you here. So before we directly dive into our first topic, which will be looking a bit at today's IAM challenges, maybe you quickly introduce yourself.
Oh, and I need to unmute you, I see. Sorry. Here we go.
Yeah, hi. Good morning, good afternoon, good evening to everyone who's joining in from different parts of the globe.
Thanks, Martin. It's a pleasure to be here. As you mentioned, I'm Director of Strategic Engagements at Archon, which means we run, drive some of the strategic initiatives and go-to-market approaches for the identity platforms that Archon focuses on. Great to be here because I understand this is more of a fireside chat format, and that's what works very well in actually, you know, throwing up ideas and making it more interactive in terms of also the Q&As that we expect to have from the wonderful audience here.
Okay, great. So let's get started then. We decided up front on a couple of talking points we'd like to talk about, as you said, more in a fireside chat style. And the first one is about IAM challenges. So what do you see? And then I may look at what I see. What do you see as the main challenges these days when we look at identity access management?
Well, I believe the landscape is evolving and changing tremendously. Of course, from the, you know, traditional challenges of, say, a password fatigue or, you know, automation of a process of provisioning, deprovisioning, those form statements still stay, but people have understood how to address them, if not already done so.
I think the new challenge is around the fact that organizations are spending millions of dollars on siloed and disparate solutions, maybe going for a different MFA, different PAM, you know, privileged access management, different solution for governance and identity and access management, and so on and so forth, right? There are specific problem statements for cloud adoption and indictments on the cloud, as well as it may be on the API security or application side in terms of role-based. And I think that is definitely the case.
What I also see is that we've been talking about identity management for quite a while, and the term identity and access management probably is more than two decades old already. And it is on the agenda for organizations for quite a long time.
But it's still that when I talk with organizations, it's very interesting to see at the end that many of these organizations still are in a state that is incomplete to a certain extent, so sometimes really in main capabilities of IAM, such as no good privileged access management or already gaps in other areas are lacking or are outdated or are at a relatively low state of maturity. So I think on a more generic level, this is surely one of the bigger challenges we are facing in identity management, but it's still not that we find a high level of maturity across all the organizations.
And I think the smaller organizations become, unless they are heavily regulated, the more it is the case. And I also believe that we have a couple of things which we need to fix more on a technical level. This probably would lead too far in depth chat, but when I see that really, I probably would say that the maturity of organizations are struggling with building their own models, with successfully executing the recertification campaigns, it also means that some of these things we are doing in identity management seem not to be good enough to what we need to do.
But I also agree that there are other types of IAM use cases we need to cover. And it needs to be a culmination of people, processes, and technology coming together because it's no easy management of specific identities. With the types of identities in itself increasing, we are not talking of just user IDs and passwords anymore. It's really around the very persona. It could mean human and non-human identities. It could mean business privilege identities, service accounts, applications, bots, and all of those need to, as well as digital assets at the end of it.
So digital identities and digital assets need to be eventually mapped back to a human identity as the custodianship or ownership of those. So it's more complex than just managing specific credentials or username passwords. It's around the evolution of identities in terms of an outcome-driven model, hyper-personalization because identity now constitutes the entire persona. It could mean ideas. It could mean how someone carries on some particular tasks. All of that goes into the attributes of an identity.
Yeah, you're bringing up quite a number of points. Some of them we probably touch later on, not like the outcome-based approach, etc. I think one of the points you raised, so the different types of identities, human versus silicon, etc. I think this is interesting because it fits also to a question that just came in. The first question I'd like to pick up from the audience is, isn't one of the major challenges that most IAM projects are still too workforce-focused? So I think when we look at identity management and it's running, then I would agree a lot of this is still workforce.
We have quite a bit of consumer identity stuff happening, sometimes a bit disparate. When it goes into machine identities, into what you call custodianship or identity relationships, then surely we have to go a long way in many of the organizations.
No, I believe it's equally important to look outward towards consumers, customers, or even citizens for that matter, right? At a larger perspective because that's where a lot of external or third-party identities will need to access the applications or network within the organization for some business requirement or the other. And that is equally one of the challenges and rather opportunities that organizations need to look at in terms of management. So when you look at IAM, then I'd say, okay, there are challenges.
I think, you know, at the end of the day, the point is not saying there are challenges. The point is, how can we solve it? Yes. So when you look at this and think about an IAM for the digital age, what is it? I think we started four or five years ago or so at least with this concept of identity fabric, which seems to become more and more prominent. I see others picking up on this term. When I created this idea or when we created this, basically it was also a bit of stepping back and saying, what is the truth of IAM?
And IAM is providing seamless, yet secure, and well-governed access for everyone and everything to every service. So that was at the core, the starting point for, and then it's about how to fill that entire thing. And so I think this could be, to my perspective, and maybe I'm overrating that concept, but it could be a very good starting point because it's saying, okay, it's really about everyone, everything, every type of service, and a more holistic view.
And it also has in it, you can access it, it can manage services, but it can also provide, it also provides the APIs, and inherently it runs as a service. So it's IDaaS, identity as a service. For that matter, yes.
No, I couldn't agree more, Martin. And that's where with the increase in adoption of increase in adoption of digitalization and automation, it's, again, we come back to the types of identities, it's increasing in the non-human segment of things with also service accounts and bots being created more and more. Further on, there could be processes that are actually replicating those for maybe separate purposes of a business or even inadvertently sort of replicating of processes in itself.
But I believe that the custodianship of all of that, the ownership of each one of those types of accounts coming back into a reconciliation is important and thus that needs to be looked at from a holistic governance perspective. Yeah. So what I also want to bring up, this is really this API aspect. So let me talk about IAM for the digital age. So traditional identity management is, so to speak, inside out from the identity management system to the applications. We create accounts, we define entitlements, we authenticate and let them in, so to speak.
And that is something where I believe, specifically when we look at digital services, we need to also sort of support the opposite way, outside in, saying every digital service can consume identity services via the defined and consistent set of APIs. So create a user, authenticate, provide me the risk information, whatever could be in there.
But I believe that modern identity management needs to support those ways and with the outside in part becoming more and more relevant, the more we work through standards, the more we work with cloud services as targets of digital services, the more it's really a consumption aspect. I think in this entire puzzle, if we could get the piece on the single source of truth identified, and if one gets that correctly, then that's a whole side of the problem that gets solved.
So when we are looking, like you said, either outwardly or external to inwards, the identity provider and the single source of truth becomes that much of a point to look at.
Because one may not have all the attributes known about the user trying to get that access, but I think when they are now more in terms of federated identities, and if one could look at even a nationwide identity provider, like maybe your service account or something in terms of the SSIDs that some of the citizens have across the entire country, it could be your country identity or your social security numbers being integrated into something of that sort. We need to kind of think through and reimagining identities to dictate that identity provision and the single source of truth.
I even would dare to say that decentralized identities will become a very relevant element in the IAM for the digital age. And I think we touched on some points. One is how do we deploy which types of identities do we support? Every type of identity. I think this also, by the way, matches the questions I bring up in a second. The way someone can consume or is supported by the identity management system. So it's really that a lot of things change, but I think it's also important. That's maybe something we can touch or talk about later on.
Again, it's also important to understand that this doesn't mean that we need to, so to speak, throw away everything. But what comes is something we can use really in a convergence to sort of gradually expand and sort of modernize our existing identity measurement. But maybe let me quickly pick up the question. I think it fits to something you said, so I'll hand it over to you to have the question done. So which role do identities of devices and things play for IAM in the digital age? Did you say devices and systems? Devices and things. Right.
So, yeah, I think in terms when we're looking at a complete identity and access management with governance, it is about human identities, digital identities, and digital assets. So in terms of having those assets, having the right types of access to those assets, as well as being mapped onto a specific ownership of it. And this needs to be modularized even in the governance aspects of it. So as much as a user access review is important, I think device access review is equally important on that.
And a constant and continuous certification, recertification, and reconciliation of all of the types of access that are provided needs to be studied carefully, right? It's a very dynamic environment all across within organizations or even externally with third parties, and thus a continuous motion of checking the relevance of some access that may have been given some time back versus current day is an important factor. Yeah. And I think it goes back to what you said before around custodianship.
It goes back to the concept of we need to understand, again, who is using a device or in which context is the device or the thing operating? And that can be rather complex relationships. So if you take a vehicle, connected vehicle, then the vehicle itself consists of many, many different things, different components with their own identity. And then we have a huge system of organizations and individuals around it from the driver and whatever assurance company and the leasing company and the police and the garage and the manufacturer, et cetera.
So these relationships can become extremely complex. And I think there's surely something in IAM for the digital age where we need to guess. So in the interest of time, let's move a bit forward. We touched this topic of where are the challenges, how could it look like we touched IAM, identity fabric as a term. We sometimes hear about swim lanes and convergence. We also see a bit different trends. And I think also for an identity fabric that there are two levels. The one is we have consistent view and which tools do we need to build that.
And this brings us to this always interesting question about convergence versus best of breed. So what's your take on that? Absolutely. Like you said, everyone is looking to optimize.
I mean, in the ideal world, a single stop shop, but at least have minimal number of technologies coming in along with people and processes so that they can be lesser to manage with more outcome. And that's what everyone is looking at as far as what we've heard from market and even the likes of Kippinger Cole have researched upon with what you have rightly termed as the identity fabric. I think it's bringing everything together in a coordinated mesh and not have a mess, but actually a mesh put in place.
Another benefit of such a thought process going in terms of delivering solutions for that matter is that you also will optimize the human resource overload because you would have a common skill set required to manage a lesser number of technologies with possibly a common code base, less number of interactions in terms of touch points, as well as some use cases coming together in a convergence or bringing the best of breed of different technologies that are intertwined can only come when each of these is interoperating and integrating with each other seamlessly in a native form.
I think that I'm asked quite regularly about, so how many tools do we need to build our identity fabric? And I think the first distinction I make is between the core capabilities like IT related or what you call AM or PAM today or CM and all the additional highly specialized technologies you may need or not depending on your environment, depending on your specific needs. And for the first part, my answer is keep it very, very low. It could be a very small digit of supplier technologies you have, but you may need others.
I think what is very important in that context is to understand, yes, there's surely a benefit if I have everything from one vendor, then I should have hopefully a consistent architecture. And if it's deployed as a service, it gets better. Consistent APIs, the same types of dashboards, UX, etc. That is definitely harder to build the more components you have. It's on the other hand, way simpler to build in today's age of identity as a service, in today's age of microservices, container-based deployments and APIs.
So it gets easier, but it still requires way more architectural thinking and way more integration work. So I think it's really about that balance. There's one other question coming in and that is about, will a single vendor strategy where I am ever work? So I think the answer could be, it depends on, because it depends, I believe, on the size of the organization. If you're already pretty small, have low requirements, maybe yes. The bigger you are, the more complex your world is, the more complexity there is, the more complex it gets. Yes.
No, I fully agree. It's not a child's play or it's not easier said than done. But I think that's where also disruption will come in and someone's got to do it, someone will do it. It's about understanding the core of the problem and actually delivering not just the problem statement of maybe automation or governance and visibility of it, but seamlessly operationalizing that with ease of optimizing the entire process in itself. So I think that's where it could get disruptive. Given that we don't start Greenfield in most organizations, how do we get rid of the silos?
I think that's the next point. And so if you say, okay, we want a holistic concept like an identity fabric, we want to reduce the number of technologies in there, even while it's becoming simpler in a world of SaaS and IDaaS. But still the question is, what do we do with all the legacy stuff? All the legacy. Yeah. What I see in identity management, there are basically two challenges. The one is where to start to modernize. And the other is, are there things I better leave and integrate somewhere? Absolutely. I totally agree.
It's not that one fine day one wakes up and says, I'll get rid of all the silos and I know the fabric or a converged platform is what I would go with. That's not how one would imagine it to be, but I think it's a definite journey.
Like you rightly said, it's to begin with at some point, but being future ready in terms of at least having the wherewithal to easily scale up, easily modularize and go from one level to the next in course of that journey and have a definitive plan that, okay, it could mean one year for some, it could mean three, five years for some, depending on the complexity side of the organization. But eventually that's where a lot of the value will turn up in terms of the outcome that they expect. So when I look at this also in what we do sometimes as an advisor, right?
So on the first part, so where to start. We have, for instance, used some standardized methodology, which looks at on one hand, where are the biggest gaps and what is on the other side more easy to do.
So, and some other aspects, and then we can rather well sort of visualize what are the things that are sort of the biggest pain points that are best to fix. And then surely there sometimes are huge pain points, which aren't easy to fix, but are a must. And on the other side, there might be some where you say, okay, it would be easy, but it's a big pain. And that helps them making a bit of the decisions. The other thing I always recommend is don't try to sort of move all the big rocks.
Because implementation or transition projects for each of the major areas of IIM are complex and the management capacity in organizations, not only the budgets, but really also the management capacity, the skills, the people are limitations. And so you will be more successful by doing that. That leads me to my other point. And that is what to do with what you have. And when I, for instance, take legacy IGA, so the provisioning part, and you may have whatever things that are complex connectivity things to your mainframe world or other things.
In some cases, it's really also a bit of a mathematic, whether it's not better to retain part of that, put something new on top. And then, so to speak, use the old IIM system trust as a target for your new identity fabric, which then executes to a few systems, which become less and less and less until you maybe then fully replace it, or you leave it because rebuilding whatever mainframe connectivity can be such a... It's a full marathon on its own. You're absolutely right.
Yeah, I think that's what it is. And that's the way to go about it. Yeah. So when we, so getting rid of silos is not easy. And I think, my recommendation would be, don't be overambitious in the sense of, I want to have everything done in three years. Better do it right and focused, so there'll be a more successful approach. I think it's the classic 80-20 rule, right? You've got to achieve the maximum with the minimal effort that one puts in. So with 20% of your effort, what's the 80% problem statement that you can take care of?
Maybe that, for one, it focuses around the crown jewels of the critical IT infrastructure and managing the privilege side of things. For another, it may mean the join-and-move-a-lever process and having productivity on that side of things.
So, yeah, to each their own for that matter. Okay. So let's go a bit away from the legacy towards the future. So we have titled this part, IAM Data and Context. And I think that data is becoming more and more relevant. We see more and more, for instance, AIML stuff in the IHA space. And that only works if you have data. And context is out there as an idea for, not only idea, as a solution for quite a while when we look at authentication, where it's about adaptive risk and context-aware authentication. So where do you see this entire field heading?
I think this, I would call it the next level of convergence, right? You're looking at identity-centric security marrying with contextual data-centric security. Because as you rightly said, data in itself doesn't mean much. But if you've got data context, you understand what that data, if you aren't able to address an answer that who has the most important information in the organization and what are they doing with it, then you've got meaning behind what you're trying to do. And that can only happen if you've got a contextual data model marrying with the user context in itself.
So if it's something that is sensitive in nature to the organization, but you also need to know who is the custodian of that in terms of the role, then the meaning of that data becomes more contextual. Isn't there, that goes back to a question that came in here. I referred to the question a bit. It's at the end, isn't there, so there's the context data for a user. So what is the user doing with data that's user-accessed? Yes. Location and all the other things. I think these are, some are more activity, some are more state-based, so to speak. Some may be behavioral based, yes.
Behavior would be a bit activity, so yes. And then there's another angle, which is the context from other identity management services, maybe. So I see this quite frequently when we look at IGA and do the recertification, then we look at, does Martin have the entitlements Martin should have, or is he over-entitled? But at the other angle, what does Martin do with the entitlements? So which are, again, two angles. The one is, did Martin ever use this entitlement?
And the other is, at runtime, if I take the context from my authentication and something is a bit strange, then Martin is doing highly sensitive things. Yes, it's an anomaly, yes.
Yeah, and I think this context thing is a really big beast at the end, because there are so many facets of it, and I tried to bring up a graph-style picture. It leads to a very complex graph of information we need to deal with.
Yes, it's, everything is interconnected, like you rightly, I think, you know, chosen a point here. But the fact is, data is such a notion, right? It flows like water.
I mean, unless you contextualize that and understand the meaning behind where this is coming from, who has it, and what are they doing with it, just having, you know, control over that data is not going to help to my mind. Yeah, so we need, it means that we need to rethink data models. So I see a lot of things happening around graph databases that are used. I personally believe that it's for, not for every use case.
I think, like with most things, it's not that the holy grail, the one solution that's that solves everything. But I think graph databases are definitely an interesting element for certain use cases in the identity management context, which again is a bit tricky, because when someone selects a tool, should someone really need to look at that level of detail, or is it better to look at a capability level?
But at the end, the main thing is that we get the capabilities, and sometimes maybe it's for our troopers analysts when we compare products to understand, is the architecture good enough to serve the needs? No, I think it's important to get down to granularity of the data. It's a difficult task to do, but effectively that is the core prize that one is trying to protect as well, right? So to my mind, there needs to be AI ML driven.
I mean, there's so much of data that even a mid-sized organization, forget about the large ones even, will have within themselves that to actually understand the context of it, one has to have strong AI ML capabilities to be able to pattern recognize, churn them up, and have the intelligence to discover, classify the sensitivity of it, and then put in the context that, okay, if for example, this data refers to maybe a legal contract, this data refers to PII information, this may be referring to security related documents, what is the kind of categorization or classification I need to provide to that?
And the next level of context would be that, okay, if this is a, say, a legal contract document, then who is it lying with? If it's lying with someone, say, who is a business owner or a legal case manager, then it's not an anomaly, though the data is sensitive in nature. But if it's, say, for example, is lying with an IT support engineer, that in itself becomes an anomaly because of the user's context remaining there.
And I think the point is, when we do that right, we can move away very much from static entitlements, from standing privileges, and in the end, most of the stuff which really hurts us today is like recertification, like Rose, that is because we have to deal with static entitlements, and we can do way more via policies. Plus, if we utilize AI ML, and I understand AI really as augmenting intelligence here, something that helps us do our job better, then we definitely can reduce complexity.
So, from here, maybe to, okay, the best part of the decade, zero trust. But so when we look at this, and I think this fits very well to this context topic, etc., which role does IAM play for zero trust? When I start talking about zero trust, I tend to say, okay, you know, when we look at this, then it's about someone, maybe something, Martin, using a device, going over a network, whichever network it is, hopefully encrypted, to a service.
So, if we sort of deconstruct service, then it would be a server with an application, etc., but call it a service, and he does something with data.
So, we have identity at the beginning, and we have access, so to speak, at the end. And so, IAM is, in some way, what really is the big bracket around zero trust. It's where it starts.
Yes, yes. No, I absolutely agree, Martin, and I believe identity is really at the core of a zero trust strategy, because if you look at maybe the three key principles I can think of, right, around verifying explicitly, least privileged controls, and visibility and analytics in case a breach were to happen.
You know, you unfortunately have to assume that a breach happens even post all the, you know, guards that one may put up, but that's what zero trust is all about, that you have to be guarded all across in terms of preventive and detective as well as resiliency controls.
So, I think identity and IAM play a very core important role on that, be it from risk-based adaptive policies to role-based access controls to ensuring there's least privileged access given to users for doing specific jobs, and as you rightly said, even zero standing privileges, we know that there needs to be people, processes, technological solutions in play that can enable organizations to have zero standing privileges, yet make it pragmatic to deal with elevated tasks that may be required to be done as business as usual, but then follow a jest in time with continuous assessment models around it for zero trust.
So, how do we prove that we did the right stuff? You talked about outcome-based approaches.
Yes, what do you mean by that? So, like I started off with saying, you know, there is a motive behind doing everything, investing into some solution, addressing some problem statements, but probably the mode of how it has been carried out so far is where, because of its own complexities, is where the challenge of not having the expected business outcomes being driven is coming forth.
So, an outcome-driven approach is to actually, the way I look at it, probably turn things around and say that I want this as the outcome. How do I go about it and what do I need to finally get there?
So, to deal with, say, to address that who has access to what and where, am I able to answer that question? Am I able to operationalize between people, processes and technologies at the end of it such that there is a single view, unified result on what I'm looking at and is that measurable?
So, I think these are some aspects one needs to look at when they're looking at specific outcomes. It needs to be measurable and actionable in terms of what the result is and what the visibility talks about.
Yeah, and I think we need matrix, we need to have KPIs and KRIs as well and we need to prove that things are getting better. By the way, which also means, like I have discussed with organizations over decades, we need to start measuring very early. Before we spend the money, we need to have a sort of the metric to compare with.
Otherwise, we can't prove that we really got better. And, yes, and I think at the end, we need to prove that we did the right things and these things we focus on, I think this is also part of outcome, must be the things that are most relevant. The big art, to my understanding, is that we, if we work outcome-based, that we don't forget the bigger plan, the bigger picture.
So, there's always a risk with outcome-based approaches that they are too short-minded in some way, saying, okay, I solved the next problem, then I have 20 different solutions. I think balancing these... Looking at the larger picture is important, I fully agree, yes. Okay.
So, I think we discussed a lot. We do a second poll, then we go to the Q&A. We have already a few more questions here. And already to the participants, please enter your questions now so that Gautam and me can provide our insights to you.
So, but first, the second poll. So, what is, to your opinion, the number one reason for IAM projects stalling or even failing?
So, is this more a stakeholder management, the lack of required or insufficient requirements gathering, the too technology-focused approach? Gautam talked a couple of times about people, processes, and technology. Or is it more an expectation management, over-processing?
So, what's your perspective? So, the more participate, the better it is.
So, there'll be... Try here. Come on. Leave it on for another 10 seconds. Okay. Thank you. Okay.
With that, back to our talk. And right now, as I've said, we'll dive into the Q&A.
Again, the more questions we receive, the better. We already touched a couple of, answered a couple of questions that came in. But I think there are truly some more. And I think that the question I have right now in front of me, that is one which goes a bit into the last point we touched, outcome-based.
So, the question is, what are good quick wins versus good big wins for IAM projects? I just tend to distinguish between these two.
So, what are the quick wins we can show, which are important? But also, what are the big wins, the large things?
So, what would be your favorite quick and big wins? Gautam.
Oh, that's an interesting way to put it across. I think a very good question.
Firstly, I think when you're talking of outcome-driven approach, we really, like Martin said, we really need to be looking at the big wins rather than quick wins. Quick wins are run-of-the-mill, something that comes across as we go about operationalizing things. But outcome-driven approach is keeping the larger picture in mind and the big win in mind.
But having said that, from an IAM standpoint, some of the quick wins I would look at is that, let's just say, for instance, I want to have, I mean, again, talking from a workforce perspective, I want to have my workforce enabled such that they are productive from day one. That's one of the quick wins I want to achieve with a simplistic, automated IAM solution that can take care of my workforce for that matter.
So, a join-a-mover-lever approach wherein birthright applications are well-established and second across the organization. So, someone joining in has the relevant access to resources, maybe training material, maybe some certain application segments that enable him to start his day-to-day tasks, at least begin to kind of settle down from day one. If I can achieve that, that's one of the headaches that's probably taken away from HR as well as IT operations in terms of enabling users.
On the larger picture perspective, I think it's around ensuring there is holistic management of the complete life cycle of provisioning, deprovisioning, a very stringent role-based access control from a security standpoint and authentication and authorization explicitly put in such that it can also take care of workloads of maybe segregation of duties and the entire life cycle management for access reviews. I think one needs to look at what benefits this larger big win will carry forward and that's what outcome is all about.
When I take another example, if I go to the access management authentication side, then a quick thing could be that we rather fast bring the vast maturity of the users to at least two-factor authentication. The big thing would be when we have everything passwordless, there's a risk adaptive authentication in place.
So, the one thing is something we can achieve fast. Nowadays, going to something which is at least these two factors. The other thing takes longer because this is really doing a way more complex and thorough work.
Okay, another question we have here and I think this is also a good one. Which part of IAM should be the best or should we best start our zero trust journey with? Where should we start? Which part of IAM is where we should start when we look at zero trust?
Again, a good question and I've been pondering a lot with this myself. I believe it's probably a circle and any point is good to start with. What's important is to make a start. As I covered earlier on, to each their own in terms of identity security, do you want to first look at your crown jewels in the critical digital asset side of things or data center resources? Are endpoints more important to you in terms of privileges that are there, say, for local administrator? Are you looking at the complete lifecycle management of identity and access management holistically?
So, there could be different elements of an identity-centric security journey coming from an IAM solution, a PAM solution, an EPM solution, or even you take a step back and probably start with just the people aspect of things in terms of training culture, the process aspect in terms of, say, some consulting of improvising processes and then building technology off that. So, it's complex and any place is a starting point. I agree that there are several starting points.
Honestly, the one I would start with, I think, when I look at Zero Trust is improving authentication, including device binding, because this, at the end, is a bit of front-door thing, saying, okay, can I really very well verify the person, ideally in the context? Yes. Do I have the device binding under control? Things you've talked a lot about. Okay.
So, I think we touched quite a number of topics. Answer the questions we have here.
So, then I would say it's time to say thank you. Thank you very much, Gautam, for all your insights. Very valuable. Very interesting. Thank you. My pleasure. It was really good to hear these questions and try to at least pick our brains in terms of what's happened. Thank you to Archon for supporting this webinar. Thank you for everyone attending this webinar. Hope to have you soon back at one of our webinars or see you at EIC in May in Berlin. Thank you. Bye-bye.
