Okay, so hello everyone. Welcome to today's webinar, IGA Embracing Trends and Amplifying Core Capabilities. My name is Nitish Deshpande. I'm a Research Analyst at KuppingerCole. In today's webinar, we will take a look at what is IGA, why we need IGA, what are the core capabilities of an IGA solution, and how can these capabilities help organizations in their day-to-day activities. We will also take a look at some other aspects of KuppingerCole, such as how we make the Leadership Compass Report, and also our newest tool, KC OpenSelect.
Before we begin, I would like to mention some housekeeping rules. First is the audio control. You all are centrally muted, so we are controlling it from here. You don't need to mute or unmute yourself. And as always with our webinars, we want to keep them interactive, so we will be running two polls during this webinar, and we will discuss the results of this poll during the final Q&A session. So I would like to encourage everyone to please join in participating in these polls and cast your votes.
The Q&A session will take place towards the end of the webinar, but you can enter the questions at any time using the event control panel, and we will address some of the questions towards the end. And finally, we are recording this webinar, and we will make the recording as well as the slide deck available after the webinar in the coming days for your download.
So, let's take a look at today's agenda. First is, we will talk about IGA in an overview, and about its capabilities.
Next is, we will talk about the evaluation criteria that KupingerCole uses to evaluate IGA solutions. Third, we will then look at the methodology of creating a Leadership Compass report, as well as the various categories which are used for evaluating a solution. And finally, we will take a look at KC OpenSelect. It's the new tool which has gone live, and IGA page has just gone live yesterday, so we will give you a preview of that.
I would like to begin today's webinar by starting a poll, and my first question to you all is, what will be the main motivation for you to upgrade or implement IGA in your organization? Is it A, improved security and regulatory compliance, B, automated tasks, C, centralized governance visibility, or is it D, improved user experience? I think I'll give you now another 15-20 seconds to cast your votes. You will see that in front of your screen. Any second now.
So, yeah, thank you everyone for your votes. I'm excited to see what are the results, and yeah, we'll check that out in the final session.
So, let's start with IGA. Why IGA is needed, and what is IGA?
So, IGA is basically about two main terms. First is the identity lifecycle management, which deals with creation, modification, division of identities, as well as it also deals with types of identities and target systems. And then we have the access governance part, which provides a centralized visibility to organizations, and to evaluate three main questions to ask, which is who has access to what, who has access to what, and why, and who granted this access.
So, the IGA market combines user access provisioning and the identity and access governance market. So, this is the main highlight of the solution, but how should you evaluate selecting an IGA solution? And that starts with first identifying the core capabilities of an IGA solution. And we'll start with the first one that is identity lifecycle management. And it provides all the necessary tools and mechanisms for creating, modifying, and deleting of user identities. In other words, it's also known as join or move or leave a process.
So, that is included in this first core capability. Identity lifecycle management also offers inclusive support for all identity-related events, either through the available connectors for automated provisioning and deprovisioning, or use of workflows for manual intervention. Management of user accounts and access entitlements across a multitude of IT systems, including cloud-based applications, is becoming increasingly popular and important requirement for identity lifecycle management as a capability in an IGA solution. Next is the policy and workflow management.
Policy management deals with tools for delivering rule-based decision making, which is based on pre-configured rules for identity lifecycle events. And these events could be such as account termination, role modification, rights delegation, SOD mitigation, in that sense. And the enforcement of these policies is either triggered by the lifecycle of the identity or is determined by associated workflows. And workflow management is concerned more towards defining the necessary actions that need to be taken in support of successfully executing certain events or making certain decisions.
This includes also orchestration of tasks involved in the overall decision making process to support the business requirements. Workflow management should also allow easy customization and configuration to include common business scenarios such as approval, delegations, escalations, and etc. The third we have is role governance. Role governance refers to the capability of having control and visibility on the entire lifecycle of a role, which it starts from its inception towards the decommissioning.
In a typical role-based access control setting, the role governance monitors and tracks the key processes during the lifecycle of a role. Access request management is more about self-service user interface to the users to request access to the various IT assets which they want to access. Now access request management also encompasses the entire process of delivering a user-friendly approach for requesting the access. Now one example is the shopping cart approach which is becoming quite popular for searching and requesting access to deliver better experience to users.
Several vendors we have seen are using this flexibility approach of configuring workflows to allow for modification of access requests after the request submission and before actually fulfilling based on the business process requirements. Password management is another aspect of self-service where it allows for password resets and account recovery in case of forgotten passwords. Another thing that password management allows is password synchronization across different IT infrastructure devices and applications.
Some of the IGA vendors offer risk-appropriate identity proofing mechanism in case of forgotten passwords and this is on top of the already existing multiple layers of forms of authentication that the user has to go through for initiating password changes. Now identity analytics and AI machine learning. This is the new trend that is emerging in the IGA market. In the last 15-16 months we have seen the use of machine learning, AI and overall automation on the rise.
So when talking about identity analytics it uses these machine learning techniques to derive critical information from already existing lots of data and then that helps to make and that and it provides this information to making better decisions based on before the business. Another thing that identity analytics and AI ML is that it also is being seen prominently in other tasks of IGA such as automated access reviews, automated access entitlements and even things such as correlation of identity events across disparate systems to derive actionable intelligence.
So that's the thing which we have seen in the last is that this is becoming fast as one of the things that the vendors are trying to innovate. Access certification is a key capability to gain organization wide visibility. So this is one of the more key feature of an IGA solution and access certification allows processes and access reviews to manage attestations that users only have access right necessary to perform their job functions.
Access certification campaigns also facilitate faster and accurate review of access by highlighting policy violations and permission conflicts in users access entitlements and this is based on across multiple applications that it takes into consideration. More commonly based on resource level or hierarchy requirements, access certification capabilities are increasingly becoming risk aware to include micro certifications based on the risk of an identity life cycle event.
Unlike certain things such as periodic access certifications, event-based micro certification is contributing significantly to continuous access governance capabilities of an organization. Next is the SOD controls management and this refers to the controls that are important to identify, track, report and mitigate SOD policy violations which could lead to internal fraud in organization unauthorized access in some cases. These controls are crucial to manage role-based authorization across applications with complex authorization models.
One thing is that IGA controls provide more coarse-grained abilities to identify SOD risks than at a fine-grained entitlement level found in other complex home-grown applications and for example ERP solution. Key controls that are offered as part of this SOD controls management includes cross-system SOD risk analysis, compliant user provisioning, emergency access management, advanced role management, access certifications and so on. Reporting and dashboarding this one refers to creating valuable intelligence out of enormous amounts of data that is available.
Dashboarding is an important auditing control to monitor effective operation of IGA processes. IGA vendors are offering inbuilt templates for reporting with the ability to customize reports and suits business auditing and reporting objective. Most vendors are also allowing for IGA data export using certain specified industry industry formats into third-party reporting analytics tool for advanced data modeling and business intelligence.
For the purpose of you can say reporting and dashboarding capabilities of IGA, vendors are also trying to see if they are compliant with the major frameworks that are available in the market right now. Then is the ease of deployment that we are looking at. Ease of deployment is more about how the IGA solution can be deployed on your system and how is it delivered as well. Is it delivered in base of container, is it delivered on public cloud, private cloud and so that comes under the ease of deployment. Next is automation support.
This one is similar to the AI and ML part which we discussed earlier is using automation to automate these less critical tasks which do not require high level decision making. Then the third-party integrations is also integrated as a capability of IGA solution and finally the scalability and performance. This relates to if the solution is equipped enough to be able to scale to the organization's needs and can it match the performance that is required.
Now that brings us to what are the activities that can be supported by IGA in an organization and that starts with first automated provisioning and deprovisioning of user accounts across all the target systems. Next is management of access entitlements and associated roles of users across the IT infrastructure. Configuration and enforcement of policies not just static but also event-driven access policies for the accounts to access the IT systems and applications.
User self-service allows users to validate their access to systems, request password and also request additional access that can be also supported by an IGA solution. Then access certification access reviews more about supporting on-demand and event-driven user access certification campaign to detect and mitigate access violations. Auditing and reporting of access activities or is leading to critical information regarding servicing and monitoring or an optimization is also supported.
A few more things which come to my mind other than these points is synchronization of identity attributes and access entitlements which are related to user accounts and groups across the entire identity repositories. Another one is the verification and synchronization of user account passwords and other identity attributes from an authorized event and source across the identity.
Finally one thing which also it can be supported by IGA is the reconciliation of access across the IT environment based on the defined policies to ensure compliance and prevent any other policy violence violations SOD policy violations. Now when it comes to evaluating IGA solutions we are keeping a goal have a few set of criteria that we go through and in this segment we will take a look at the technical requirements that we assess and rate and that starts with these eight categories that we look at when we are evaluating an IGA solution.
These are the technical categories we have many other categories categories that we look at but these are the highlight ones. The first is access and review support where we look at integrated access governance capabilities that can support activities such as the review and disposition of user access requests certifications campaigns access remediations also something that is also looked at in the in this segment is the SOD controls to identify track report violations so that is all part of this access and review support.
Next is the architecture and hybrid environment and this can this category represents a combination of the architecture where we look at and focus on is how is the architecture is it modern modular how is it based on microservices and we also take into account how is the deployment done is it container based which provides more flexibility or is it in some other format something else that is evaluated in this category is the solutions ability to support a hybrid environment for customers that anticipate or are currently taking an intermediate step towards migrating from on-premise to the cloud.
The third is the centralized governance feasibility this is the this is we look at from here the dashboard capability where the organization can have a centralized view of all the issues related to access governance and so that is the point which is taken into consideration here. Then is the identity life cycle management we look at not just how the life cycle of an identity is managed but we also look at some other capabilities such as access to identity stores data modeling and mapping and also what kind of different activities are supported in this solution.
Identity and access intelligence is about the AI and machine learning and automation aspect. Advanced capabilities such as using machine learning techniques that can enable in recognizing pattern for process optimization role mining role design automated reviews and an anomaly detection are taken into consideration here. On top of this other things such as user access information, user access recommendation, authentication and authorization is also taken into consideration in this one.
Cell service and mobile so with mobile support is about how the users can request access, what is the overall user experience, how is the user the layout of the tool and so that is into the more you can say the physical aspect of the tool is taken into consideration here.
Target system support this one is about not just the depth but the breadth of the connectors that we look at and this is for on-premise as well as SaaS so that that is one of the critical elements you can say for an IGS solution is to have good target system support and one thing we also look at is if the solution has the ability to create custom connectors based on the requirements and finally the workflows and automation this one is about advanced workflow capabilities which includes graphical workflow configurations and also up to an extent how certain tasks can be automated and which task cannot be automated and why.
That now brings us towards the third point of today's webinar is the leadership compass process the methodology and this methodology consists of four steps. Starts with research where we identify the vendors, get briefings, we also conduct demonstrations with the vendors, try to see how the solution works and then we also receive a technical questionnaire from them. Using all this information we go into the next step that is analyzing. Here we analyze the vendor in multiple categories and also we are writing here the draft of the report. Third is the fact check process.
In certain cases when the research was first conducted and when the report was created it takes around one to two months of time so in this period maybe certain vendor has had new updates in those time period so or there are some issues or there has been some roadmap items which are delivered in these two months so we use this fact check process for addressing this and correcting some issues if there are with the vendor item and finally once it has been gone through our internal review as a reflection review we publish this on our pingercool.com website.
Now what are these categories that we look at when evaluating vendors? There are in total nine categories and these are the first five categories which includes the security, functionality, deployment, interoperability and the usability of the solution.
That means does the product meet the security requirements, what are the functional capabilities of the product, is it easy to deploy, easy to deliver, does it interact well with other services, third-party integrations and how is the overall experience when it comes to using the actual tool for the admin as well as the users and then the final four categories are around innovation, market, ecosystem and financial strength.
In the innovation we look at if the vendor is making any progress in terms of providing new solutions, new features to the product to make it more stand out and the next is the market position. Here we look at more about the vendor, how many customers the vendor has, in which geographical regions are the customers based, in which geographical regions they are operating, in which types of industries they are operating. So that is evaluated in the market position segment.
In the ecosystem we look at their overall partners and how they are spread out globally and finally it is about we look at the financial strength of the vendor, how is the company funded, what is the revenue of the company, has the company been profitable and what are the overall how many employees does it have, what are its R&D plans. So it's a very in-depth analysis of the entire vendor as well as the product using these nine categories and once we have done with our analysis we start rating the vendors based on these four categories.
First is the product leadership, this leadership category rates the vendors based on their functionality of the solution. Next is the market leadership, this one is about seeing how the vendor ranks when it comes to their customers, when it comes to being present globally or in certain region. Third is the innovation leadership where the vendors are rated based on how are they delivering new and useful features for the customers and how are they trying to come up with new features in the market. And fourth is the final one which is the overall leadership segment.
So this combines the first three product market innovation leadership into one single four overall leadership category which gives an overview of all the vendors. So yeah that's how the leadership composable is created and before we move on to the results I want to start with the second poll. So this one is what is the hardest part of selecting an IGA solution, is it a vast number of vendors, b understanding the capabilities that vendors provide, is it c fixed budget when it comes to the vendor if they are flexible or not or is it d secure selecting the right vendor.
So you will have again another 10-15 seconds to answer this poll so I encourage everyone to take part in this. All right so thank you everyone for your votes. We will discuss the results very soon. We are just towards the end of the webinar so I would like to conclude with showing you the results on how you can see the results of our analysis using the KC open select tool. Now KC open select tool helps you to find the vendors based on your requirements.
You can configure the requirements based on understanding what are the gaps you're missing, what you want to add and it's a very interactive tool. You can play around with the categories of the spider can graph and shows you all the vendors who can match your requirement and also a comparison between all these vendors to help you decide which one is the best. Of course it finally depends on the customer to see which vendor meets the category and they should do due diligence of the IGA solution provider before going ahead and here is a quick overview of the 2022 IGA report we did.
In that report we rated these vendors on the left side so we had 26-27 vendors on the which we rated so it was quite a big report and but we also have a section called as vendors to watch. In this section we have not rated these vendors but we believe that these vendors are really good and they are showing good progress towards having a really good solution.
So now talking about the KC open select once you go towards the KC website you will find the open select tool you can select for IGA from many other domains such as CM, password management and once you have on this page you will see these you can see I'll bring a mouse here so IGA solution you can in the bottom you can see various categories such as the highlights, the market, market segment definition, the considerations that you should make before moving to a solution, the use cases we have we have used a few use cases to differentiate the vendors and rate them based on these use cases then overall you can find all the solutions that are available by just clicking here as well as the vendors and that brings us to yes so these are the use cases which I was talking about for example you know over here you can see it's about user and access as well as work surface and self-service then the internal considerations include things such as product scalability to identify if you have your can you do meet the prerequisites for the technical requirements and these are the questions which you can ask the vendor before going to the selecting a solution so we have also listed down some questions which you can go through and see before asking the vendor so yeah we have just over a minute left so I would really like to see the poll results before we go towards the end so if you can see the poll results take some few seconds yes so we have the first result that is what will be main motivation for you to upgrade or implement IGA in the organization and it's a tie it's a tie between a improved security and legality compliance as well as c centralized governance visibility and complete and based on the IGA solutions that we have right now they have reached a maturity in these states so it completely makes sense the evolution is coming more towards improving the user experience and automated tasks so that definitely makes sense to have as a secondary priority and if you take a look at the second poll result what is the hardest part of seeing an IGA solution so in that a is the leader is 15 percent understanding the capabilities that vendors provide that that's why so we would like I would like to show you we showed you this case open select tool which helps you to go through all the vendors what are the capabilities what do they help in your requirements as well so this is where the case open tool comes in handy for you so yeah thank you for the poll results I will go back to my slides I would like to end by guiding everyone to our related research section so if you want to find more information around the topic of IGA you can find it here such as example is this leadership compass report if you had to buy bias compass as well as many more reports which you have done around IGA solution I'll just quickly check if you have any questions to ask oh we are okay we are about time so I would like to thank everyone for joining today's session and I hope to see you sometime next time again soon on a webinar thank you