Hello and welcome to this webinar on How to Build a Modern Approach to Identity Governance in a SaaS first-World. I'm Warwick Ashford, a Senior Analyst at KuppingerCole Analysts, and I'll be joined later by Chaithanya Yambari, who is the Co-Founder and CTO of Zluri. Before we start, I'm just going to go through some of the controls. The audio controls are muted centrally, so we're controlling these features. You don't have to mute or unmute yourself. We'll also be running a few polls. I think we've got three poll questions today, and we will be discussing the results during the Q&A at the end.
When the polls come up, you can find that in your control panel, and please participate, answer the poll questions so that it'll be useful for you to benchmark and also useful for us to be able to have a meaningful discussion at the end. Don't feel that you are rushed to answer your poll questions. The poll questions will remain open for the duration of the webinar, so whenever you get a chance, just go in, read the question carefully, and then answer most accurately according to your organization.
Also, as I mentioned, there'll be a Q&A at the end of the webinar, and same thing there. You can ask any questions you wanted at any time in the webinar, and then we'll pick that up during the Q&A session at the end. To get the most value out of this webinar, we encourage you to participate, make it as interactive as possible.
So, please, if you have any questions, put them in there, and then we'll have a look at them at the end, and we can discuss them. Also, don't worry, we'll be recording this webinar, so the recording and the presentation, the slide decks for me and Tanya, will be made available for download probably tomorrow.
So, hopefully, everything's clear there. We'll just run through the agenda. I'm going to have a look at some of the challenges associated with SAS applications, and Chaitanya Mimbari from Zuri will also have a look at modern identity governance strategies, and then, as mentioned, we'll have the Q&A.
So, here is our first poll question. What is the biggest challenge your organization faces in managing identities and access in a SAS environment?
Is it A, lack of visibility into all SAS applications, B, managing user access and entitlements, C, ensuring security and compliance, D, handling diverse access standards, or E, a lack of automation in identity management? So, when you get a chance, just read through those options and give us the most appropriate answer.
So, without wasting any more time, I'm going to have now a look at some of the challenges associated with SAS applications. So, I'm going to start with some of the main drivers of SAS adoption.
So, the first and most obvious one is cost efficiency. It's much easier and more cost efficient for organizations to run a SAS application, which has been enabled by the whole digital transformation and the move and transition to cloud. This means that organizations no longer have to maintain applications on-premises. They don't have to update them, and all that kind of admin work that goes with it.
So, SAS is very attractive for that reason. Also, scalability and flexibility. When things are no longer needed, they can be scaled down, and they can be scaled up when there's greater demand.
So, I think it's that scalability and flexibility is definitely one of the main drivers there. As I mentioned earlier, you don't have to update SAS applications. There are automatic updates, and they're automatically maintained.
So, this is what's making it so attractive. During COVID, we saw massive adoption of SAS applications, and I think this got everybody used to the idea of working from home and also for provisioning whatever software they needed. Because people were working from home, they needed new applications. They needed to be able to enable this very quickly and remotely, and so SAS was an absolute natural thing to do. I think so we've got used to this now, and so I think this is one of the things that's leading to the proliferation of these applications within enterprises.
Again, the rapid deployment, another thing that arose during COVID. Things needed to be rolled out really quickly, and it improved collaboration. People were working from home, so then they needed to be able to have the applications to enable them to collaborate, and the integration with other tools is important. And finally, security and compliance.
Now, this may seem a bit sort of counterintuitive, but SAS applications often have built-in security features. They have continuous updates, so that's sort of an improvement in the security side of things.
Also, many of them have configured compliance frameworks, which is one less thing that organizations need to worry about. And then, of course, there are centralized security controls. But SAS is a risk, even though it has all those benefits. So we've seen a massive increase in shadow IT since COVID. We've also seen, as I said, thousands of SAS applications arise, and many are used without supervision or the support of IT. IT is now no longer in control.
I mean, in good old days, you'd have to knock on IT's door and say, please provision me with this, that, or the other, and they would then, in time, come around and do it. But now with SAS, many people are just providing it for themselves. There is also no supervision of the security teams, the privacy teams. They've got no way of tracking who's sharing what information. And same thing with compliance. And procurement doesn't necessarily know what applications are being bought. We saw instances where people just whip out their own credit card or someone in a department.
So each department was provisioning for itself, just to make sure they got the job done and they were able to cope from this new work-from-home environment. So as a result, organizations are struggling to keep track of what applications are being used. There is no way of knowing what kinds of applications are being used, who is using them, and what they're being used for. And as I mentioned earlier, the important thing where the personal data is involved.
And that, of course, is most important for all the compliance issues. And also, there is the financial component, is how efficiently our license is being utilized. When things are not done in a coordinated fashion and there is no way of monitoring it or just supervising it, there is often duplication. People are paying for similar apps that do, or apps that do similar things. So there is a lot of overlap and that sort of thing and unnecessary expense.
So the main challenges of SaaS adoption is consequently difficult for security teams to create and maintain an inventory of all SaaS applications, because it's not all been done through a central point. It is difficult for them to control and manage user access. People are just providing their own access or within departments. It is difficult to monitor SaaS application usage. Licenses may be being paid for, but may not be used to the fullest or not at all. It's also difficult for them to ensure that SaaS applications are configured safely.
So again, when people are self-provisioning, they may not know the correct way or the safest way of configuring an application. Most times, they're just focused on getting the job done as quickly and efficiently as they can. Deprovisioning is not necessarily done at all, not securely or at all. It's difficult for security teams to ensure that users have appropriate access for their role and that they're not getting access to things that they shouldn't be.
So all in all, these things add up to exposure of your organization to risks of security breaches, because all the gaps that are entering into what is going on. So it's difficult also for procurement and finance to keep track of the licensing costs to ensure reliability and availability, because this has just been done often on an ad hoc basis. There's no way of setting up a relationship with the providers of these SaaS applications. And then it is difficult to manage renewals effectively by monitoring the SaaS performance.
So if you don't know how SaaS applications are performing, you can't say, well, this is worth renewing or not. It is difficult to identify which applications are underutilized or redundant, as I said earlier, where things are being acquired. And they do more or less the same thing. So all in all, this added up to a greater demand for visibility and control. That is what is necessary. And so for a long time now, we at Coping Nicole Analysts have been saying that visibility and control are essential for risk management.
So if you have unknown assets, and in this case, unknown software assets or lists are unmaintained, and then you also have situations where there are company acquisitions, and then we'd now be speaking about shadow IT, it means that the implications are for compliance. There are organizations are unable to enforce compliance. They stand the possibility of failing audits. And then of course, if they're not compliant, there could be penalties for not complying with regulations.
And sometimes these can be really hefty if you look at some of the fines that have been happening in Europe, thanks to GDPR. Similarly, with the security posture, if there are rogue assets on the network, or they're misconfigured assets, or as I said earlier, misconfigured applications, unsecured assets, this makes it difficult for disaster recovery. There could be sustained downtimes. Companies could be unable to support disaster recovery planning and unable to meet disaster recovery compliance objectives. So here again, the bottom line is that unknown assets, software can hurt organizations.
And this is something that should not be underestimated. So only with complete visibility of SAS applications and related data does it become possible to manage and optimize them. So in our view, this can be achieved by supervising the procurement.
There needs to be a supervised procurement process so that it's not done on an ad hoc basis or on a departmental basis, but that it goes through a central procurement department, that applications are allocated correctly, that security is considered and borne in mind, also with compliance, and that the correct entitlements, people have entitlements to the right applications and also to the right functionality within those applications once they have it. So SAS management software provides the tools, support, and processes to manage and optimize these applications.
So it's all these pressures have given rise to this whole new market of SAS management software. And these tools typically control entitlements, which is important, as we've been discussing, because you need to know who has access to what. They also typically maintain an inventory of SAS applications. So this is important. Organizations can know exactly what SAS applications are being used across the organization, whether that's just within a single country or within a single region or even around the world. Then there's also support for provisioning and deprovisioning.
So when people join an organization, it's great to have the fact that they're provisioned with the correct applications and it's done quickly. But most importantly is that they are deprovisioned when people leave, that they don't retain access rights to things that they shouldn't once they've left the organization. Tools also improve security and compliance, and they enable cost optimization because they know what is being used, who it's being used by, and if there's any kind of redundancy in there.
And they can monitor the performance and the utilization, which also ties in with the cost optimization side of things. And in the end of the day, it helps facilitate vendor management. If things have been done through a proper procurement process and they are knowing exactly which vendors are supplying which applications, then that whole process can be managed rather than being a willy-nilly ad hoc process. And then finally, they provide task automation.
Now, I'm sure through the progress of this webinar, we'll talk a lot more about automation, but I'm mentioning it here because it is one of the things that sets this apart from traditional processes where there was not any automation or where it was heavily manual. So, SaaS management software is typically designed to deliver the following outcomes, is complete visibility. This means that organizations are no longer in the dark about what they have, who's using it, and how they're using it. And I can't stress enough how important visibility is in the context of security and compliance.
Often organizations are unaware that they have things that are sharing information that are not potential gaps in their security. So, the visibility side of things is really important, and that's one of the best, the most important things that SaaS management software is delivering. It also delivers improved efficiency so that we've got no redundancy, but that people are provisioned with the tools that they need to do their jobs and that they are able to work without duplicating anything.
And also, optimal utilization. I've mentioned this a couple of times now, but it just makes sure that the applications that are being paid for are being used optimally.
Otherwise, you're going to end up with a situation where you've got a whole lot of applications that few people, if any, are using. They were perhaps bought in the heat of the moment when a gap needed to be filled, but then people find alternatives or other people congregate across to other applications for collaboration, and then things become underutilized or not, you know, not utilized at all, and then you're paying that for nothing.
So, that all ties into lowering the costs, and we keep on stressing the improved security that that achieves. And compliance is very important, and so this all folds in, I'm sure, when we get to the Q&A section of this webinar. We'll discuss compliance a little bit further, but this all goes into reducing the risk across the organization. These tools also enable policy-based governance, where organizations can then set a policy and then enforce that across the whole organization for all their SAS applications. And once again, the importance of task automation.
So now, all these things that SAS management software deliver all reduce risk, and in the cybersecurity side of things, it's all about risk management and reducing risk, and that is why here SAS management software is so important, because it enables organizations to take control and to manage their risk. And really, that brings me to the end of what I had to say about the risks of use of SAS applications, and so now we can have a look at our second poll question. Which tools or methodologies do you currently use for identity governance in your organization?
So do you use A, in-house built solutions, B, third-party identity management platforms, C, manual processes, or D, you have no dedicated tools? So just think about that very carefully, and give us your answer in your own time, and then we can have a look at the poll results at the end.
And now, as promised, I'm going to hand over to my co-host today, who is Chaitanya Yambari from Ayozluri, and I'll let him introduce himself. So before we begin, I'll just give a quick introduction. My name is Chaitanya. I am a co-founder and a CTO of a company called Yambari. We are a SAS management and identity security platform. The topic of today's discussion, I think, what I want to really focus on is, what's the effective strategy to do an identity governance in a modern organization, which is a lot more SAS-first?
Now, before we get on to the details, and just to keep the session a little bit more entertaining, and as well as more interactive, we'll do a little bit of role playing. So we'll assume the role of a seasoned professional, a seasoned IT professional. Let's say his name is Sam, and he has quite a lot of years of experience working with traditional organizations. He's worked as a seasoned IT professional, worked in pretty large companies, but he's recently joined a very modern company itself, which is actually using a lot of SAS applications.
So let's look at it from his lens, understand the problems and that he would possibly be facing, and also look at what's a better strategy that he could actually implement to solve some of these particular problems. So on his day one, you can actually see the scenario that it's basically like an episode of Stranger Things. Coming from a traditional organization to this scenario right now, he's got access to Google Sign-in and sign-on, and immediately notices that people are using chat GPT openly, and people are essentially using different AI tools like Jasper AI for the marketing team.
He also, and all of these particular scenarios itself, and he didn't even have a device yet as well. He can immediately identify that there's certain gaps in access protocols, there are certain unknown external users that are currently using these applications, and a lot more external applications. So he decides to investigate a little bit more. He talks with multiple different team members itself.
He talks to the security admin and gets some information that, hey, just last month, there was a sales rep who shared very sensitive customer data on chat GPT to write an email, which was essentially something that he noticed. He's had a discussion with the IAM manager itself, and he was basically like, hey, once we give them access to Google Workspace, I'll get absolutely no idea what sort of applications they're currently using right now.
And he talks to Cesar, and she mentioned that, hey, right now, our balance of convenience and security is extremely skewed in the wrong direction over there. So she knows that there's a problem right now, and that's one set of scenarios. On the other side of things, the sales rep says that, hey, we've implemented really cool new Chennai-based sales tool itself. That's extremely helpful for us. The marketing says that we've recently implemented another tool right now, and it's extremely easy for us to create new campaigns.
And the CEO from the head itself right now, the focus is essentially on the productivity side of things, and they want to move a lot more faster. So in these sort of scenarios itself right now, Sam actually made a huge realization. Number one, there are two major shifts that that was going to happen.
One, in the traditional scenarios itself, where the perimeter was the network, everything was actually hosted on the on-prem service itself right now. The network was in control. The applications were in control itself. The endpoints were in control.
Here, the perimeter is actually moved away from a network to more of an identity. So wherein there were devices that were actually connected to the identity, the SaaS applications that were connected to the identity itself. There are external people who have different identities itself. There's a new hybrid cloud that's going to be there. That's on one side of scenarios. And because of SaaS applications right now, there are other sort of issues that are actually coming up. The attack surface has been expanding. So there are a lot of external identities that are using these platforms itself.
There's improper central authentication. People are essentially getting over privileged access, which there's no control for. Most of the folks are actually using applications which might not have been authorized by the IT teams. And there are a lot of these accounts and tools itself where the major folks have actually left the organization itself, but the access is not yet revoked. So these are the scenarios itself that he started realizing things over there.
And at this point of scenarios itself right now, he's actually has more questions than answers because he's not able to understand who has exactly access to what. Is there any control of data that's essentially being shared right now? What sort of data is essentially being shared across what sort of applications? Absolutely no idea. And how many sort of applications that exist in the organization today? How many are authorized? How many are unauthorized itself right now? And more importantly, are there any sort of privileged access in these applications?
How do I ensure that across these different SaaS applications, which can control, which possibly might have a lot more sensitive data, which of these users have actually a privileged access? And being an IT professional right now, his particular thoughts are towards how do I reduce my audit complexity? When the time of audit itself right now, how do I ensure that all of these particular things are actually in control? So his solution or his thought process over there itself right now realized that how do I even begin cleaning this up?
Because it's not a point in time solution itself right now because he cannot suddenly pass things up itself right now. He can't suddenly solve things at a very ad hoc level. He needs to really take complete control itself right now and rethink entire strategy for the identity governance from the ground up. So just the major idea over here itself is that you really can't control what you can't see. So the discovery of these particular applications becomes very, very important. So that's the truly starting point in that you can start off and that's the usual mantra itself.
You can only control, manage, do anything itself for what you're able to see. Let's get down to a little bit more details as well. So in a traditional scenario right now, you would actually, so this is a simple two by two matrix on control and visibility. So if you typically look at single sign-on systems, you have complete control of these particular systems itself right now, and you also have scenarios itself saying, hey, you also have very limited visibility as well. You'll be able to control certain systems right now. You'll be able to take certain actions.
We are going a little bit more inside itself right now, and you'll see that with identity and access management systems itself, right? So you can actually automate certain actions, automate projects and all this stuff, but that's only limited for a few applications as well right now, because either A, application doesn't support standard protocols for automating the access itself via SSO methods itself, or people are using multiple applications.
If you go a little bit more ahead on that, so you have single sign-on systems, access management systems, and identity governance and access management systems. Here, you're able to essentially unlock access governance requests and be able to set up access requests and access reviews, but everything's done very manually right now. The problem with these three approaches over here is that you're still dealing with the data that you know today. You're still essentially inputting these items by the information that you already have.
You're trying to control some of these particular things itself in the way that you ideally want to. What's exactly needed over there is some system system that can fully automate a lot of these particular scenarios itself, and more importantly, something that can discover this information for you and get that information highlighted itself right now saying, hey, these are the users that are going to be using these applications and is always up to date. So let's understand what's exactly needed right now.
So you need a system which has complete visibility about what's happening, whether it's connected by a skin, whether it's connected by SSO, whether it's something that people are using these applications, whether it's authorized, unauthorized, shadow applications, you need that complete access control of these particular ones. Then once you get the visibility of these ones itself, you would want to have some sort of control.
You would want to be able to understand who are the users that are going to be using this, what's the entitlements that they currently have, can I reduce those particular ones itself, can I understand what the security risk that's actually coming up itself, what's the activity that's currently happening in these applications, you want to actually build that control.
Last one, which is important, can I automate these particular ones, can I ensure that the orchestration of these particular applications in terms of when the employee is joining an organization, when the employee wants to request an organization itself and control security scenarios itself, I want to ensure that I am able to do this completely automated way so that I'm saving hours and hours of manual effort jumping across one application to another application right now so that I'm able to essentially have a simplified view visibility as well as automation control across all of these particular scenarios.
That's exactly where Zuby comes in. We give a complete 360-degree access visibility and control of your complete SaaS, so wherein we're able to discover these particular details, also help you control these particular scenarios, and also automate all of these things. Let's get on to a little bit more details. So Zuby is a united platform that helps you to garner access. So as we spoke right now, you have complete access visibility across all the applications, across SSO applications, non-scam applications itself, shadow IT, every single thing in one single place.
We can also help you understand how do you streamline the user lifecycle management itself. We also help you understand how do I provision a proper scenario so when the user comes and wants an access to a specific application, how do I automate those scenarios? And more importantly itself, how do I ensure that this access is currently being audited at a regular interval so that I don't have over-provisioned access for some people who don't need this access?
And also importantly, I also can sleep perfectly in the night saying that, okay, I've done this audit just a month ago right now, and all the things are actually under control. So let's talk about the first problem itself. So how do you typically get visibility on these scenarios?
Again, as we discussed right now, SSOs typically contain a very few fraction of the applications that you currently are currently being used in the organization itself.
So you need to get the data across multiple different systems, from IDP systems, IAM systems, financial management, finance systems, extreme management systems itself, direct control to SaaS applications so that you can find out what plugins are installed, what's the data that can be completely have control itself, your ITSM systems, and multiple different other systems itself so that you're able to get all that information in one single area so that you can clearly understand and get a complete visibility about who has access to what sort of application, what's the level of access, what's the security scenarios itself, and also what's the level of usage across these applications based on this above information.
You can actually build a risk profile to understand what sort of vulnerabilities are there, what sort of scenarios do I have to block, it's something I don't want people to stop using these particular things itself. And more importantly over there, if you have contractors, if you have external users who are using these applications, what level of access do they have across these systems to have access to any sort of private data? Is there any sort of access to PI data itself? Can I control those particular access right now? That's the level of visibility that you definitely want.
And Suri does that, so you'll be able to get all that predicted at one single point itself and give you a complete orchestration of all that scenarios. Let's talk about the user lifecycle management. You want to have a system itself which is completely automated in terms of provisioning, deprovisioning, and any sort of scenarios. The typical joiners, movers, leavers scenarios and so forth.
When an employee joins an organization right now, depending on the department of that particular person, depending on the role of the person, you'd possibly want to ensure that all the access that this particular person needs is completely automated. Similar to that itself, when the user is leaving the organization as well right now, you'd want to ensure that all his data, all the access that's actually being given to the person is completely revoked. And ensuring that scenarios like there's a proper data transfer right now, there's proper email forwarding that's going to be done.
I'm ensuring that his access is revoked across multiple different devices and that he's part of itself. All those particular things need to ensure so that the user will not have access to any of the data or the application in these scenarios. And lastly, when the user is moving from one department, one team or department to another team, or is getting promoted right now, is actually going to a different section altogether.
So, you also want to be able to take care of these particular mid-life cycle changes. So, that's something that you want to be able to enable by setting up multiple different scenarios.
So, it enables you to do all of these particular things. You can actually, because you can build policy-driven workflows, which we can actually enable you to see that it's onboarding. You can get down to extreme granular details itself to understand, hey, when user is actually identified from a particular source and you can set up conditions in the way that you essentially want to run these particular ones itself.
And you can figure these particular automation tools saying, if a person from this particular role, this particular department, is actually joining the organization right now and is being detected from HRM system, automatically grant access to these particular ones. So, that once you set up these rules, it's completely automated. Going a little bit more into the access sort of scenarios itself, you might have a question saying, hey, I can possibly do this on my single sign-on systems as well.
So, why do I need Story at all? Story goes beyond SCIM itself because apart from the automation that your SSO can possibly go here, we're able to go a little bit more beyond that. Apart from the application stack that your SSO supports, we can also support non-SCIM applications as well.
We can also ensure that with direct API integrations, non-SCIM applications which cannot be automated, either A, the application doesn't support the standard protocols, or B, your tier doesn't actually support that SCIM provisioning itself right now, you'll be able to automate those particular provisioning in deep version scenarios. This is a very important item. With limited control of your SCIM enablement system right now, you cannot give access controls to very granular scopes.
For example, if a particular person joins the organization and wants to have access to GitHub, in order to control what sort of repositories that the user needs to have, what sort of roles in the repository that the user needs to have, it's extremely difficult to control those particular things on a usual SCIM scenarios. That's extremely feasible with direct API integration and orchestration. It's all that's going to be there.
Last important item right now, when the user is joining itself for creating tasks on ATS scenarios itself and ensuring that you have a centralized visibility into what's going to be happening with complete onboarding or onboarding structures itself right now, it's very difficult to do that on the single-channel systems. Story enables you to do that.
Just to give you a quick example as well, when you want to give extreme granular controls like adding user to repositories, inviting user to GitHub organizations, creating certain specific roles itself right now, you can get to that extreme granular scenarios itself and ensure that you're able to give the access and that's completely automated on SCIM. If you're able to onboard and onboard users itself right now, that is a part of the lifecycle that user actually comes up. Users typically want to come and actually say, I need to have access to these particular systems.
So when there's an access that's actually needed as well right now, you'd want to get some approvals. You want to ensure that, hey, someone's actually having access to, needs admin access to, let's say, an AWS service or a production service itself. Apart from the immediate manager, you'd want to possibly get a permission possibly from your DevOps manager itself or someone a lot more senior or a security head to understand the reason for this particular access itself so that you can actually multiple levels of the pools before the access is actually granted.
We also understand that people from Slack or Teams itself don't want to actually have another portal. You want to actually do this directly in Slack. That's something that Story enables you to do that so that the complete access request automation is completely done on via Slack or Microsoft Teams. More importantly, once the access is actually approved as well, right? So the provisioning, the automation of that access itself right now is completely done via Story itself. So you don't have to, once access requests are actually approved, everything's completely automated directly on Story itself.
So you don't have to even spend that extra time and energy to actually manually create a ticket and go do these particular things. Because since we support workflow automations, that complete approvals, post-approvals themselves will usually be able to get the access immediately. So let's quickly look at how on Slack, same sort of flows, Microsoft Teams, user is requesting for certain specific applications, wants it for about a year right now, usually raises an access request.
Again, the approver gets a similar thing on Slack itself saying, so this person would want to have access for about a year right now. Would you be okay with that? And the employees don't have to leave their Slack or Microsoft Teams itself to get the access request on approvals. And once the necessary approvals are done, automatically the access is actually granted to that person. Let's look at the one very important scenario itself, which is screen-running access, dedicated access itself right now, or controlled access right now for my contractors and external workers.
First and foremost thing over here is we need to understand which exact application, what's the level of access to these applications, does the external contractors and workers have access to. So you can set up those controls and those policies that if there's any scenario that these people have more access itself right now, can it limit those things? Number two, the external contractors, the idea over here is that we want to actually have them just in time access. So you don't want to give them access forever. You want us to be able to get control access for a specific period of time.
Either it's there for 10 days, a day, a couple of hours, or a couple of months, depending on the application and the scenario itself. You won't have control and limited access itself right now.
And once, and of course that time you obviously want to automatically remove that action as well. Importantly itself, you'd want to ensure that across all the users itself, you're in least privilege. And if there is any policy or changes itself, you want to automatically, automatically mediate these particular risk access as well. So for time-borne access for contractors, they can come on duty and say, Hey, I need access to someone's application for 15 days or X amount of hours. We automatically run these particular access rules itself in such the access provision.
And at the 15th day right now, the access is revoked as well. So that automation provisioning and deprovisioning is completely automated in the scenario. The last important one over here is, Hey, I'd have to ensure that I was able to essentially control the access path itself. I was able to understand which users have access to what sort of applications, be able to understand how do I grant these access, how do I automate these particular ones itself right now. I was also able to understand the mid-scenarios of some things, someone needs an access, and how do I control those things.
Important part over there is how do I ensure that this access is not essentially getting revoked? How do I ensure that that constant audit system that I'm able to do to ensure that people don't have access to these systems itself right now that they're not supposed to. So the study is able to essentially do access reviews or access audits and certifications extremely well. You can actually streamline this particular process end-to-end so that it's scheduled on a quarterly or monthly or biannual level itself. You can set up those particular audit certifications at your scenario.
And the reports that we generate based on the scenario itself right now is completely compliance-ready. You can generate these reports and share that with your auditors for SOC2, HIPAA, SOCs, compliance itself. The best part of this scenario is if during these certifications, if there's any scenario that there's over-provision of access or people who are not supposed to have access have access to these systems, the remediation of these scenarios are also completely automated, which is going to be very important and reduce most of your manual work.
And in order to do all of these particular things, you don't need a complex setup right now. You don't need to spend hours or even months or days itself over that on this one because you already have all the data points itself on Zuri. You'll be able to set up an audit within a few minutes and essentially push that across multiple teams and get that information, get an access review done within a couple of days. The process of reviewing this particular access is extremely simple. The advantage that you typically get from the scenario is that you'll be able to get multiple data points.
If someone wants to understand, should I give access to this particular person or not, you'll be able to not only understand the basic details about what department it is, what role he is, but you'll also be able to get a lot more insight itself saying, what's the license that you currently have? Indeed, last was the application. What's his role itself in this application as well?
Right now, you'll be able to understand a lot more data points on this. What's his team? Is he an external user? We'll show certain insights on this one. People who have used these applications, whether it's a privileged access, we'll be able to give that information so that the process of access reviews is extremely short. With all of this particular information as well right now, a person like Sam will be able to get access answers to all the initial questions.
You'll have a complete visibility about who's using what sort of applications and be able to set up a complete access governance and scenarios about ensuring that the access to access management is automated, access request is automated, and access reviews are completely automated as well. You'll be able to get details across who's using what sort of applications, what sort of security threats, what sort of unauthorized applications that's currently there, which of them actually use AI systems, which of them are something that is restricted in the organization.
You'll be able to have complete control of all of these particular things within a couple of days of actually starting to use this one. So that's pretty much it from mine. I'll hand this off to Warp.
Yes, thank you very much indeed. That was extremely interesting. I really liked the points you made about identity being the new perimeter and also the points around how the attack surface is increasing.
Hopefully, that kind of chimed in well with what I said in the beginning. So right now we've got to the point where we're going to have another look at a poll question. And the poll question that we're looking at right now is what are the key factors driving the organization to enhance its identity governance practices?
Is it A, compliance requirements? B, security concerns?
C, growth in SAS usage? D, improving operational efficiency?
Or E, reducing risk of unauthorized access? So if you give the few minutes to just consider that and pop in your answer there, and we'll have a look at the results a little bit later.
Next up, as I said in the beginning, we're going to have some Q&A session where we're going to discuss the polls and have a look at your questions. And I see there are quite a few questions that have come in, which is great. Thanks so much for those. But before that, I just want to mention the Cyber Revolution Conference or symposium that Keeping a Coal is presenting in Frankfurt on the 3rd to the 5th of December.
The key topics we're going to be looking at are things like AI and cybersecurity, which is a fairly hot topic at the moment, the anatomy of cyber resilience, cloud security, identity security, which is also a hot topic at the minute, and global cyber conflicts and economic impact. And I for one will be presenting on my latest research on the managed detection and response markets. So if you're interested in that, please come along and listen to what I have to say about that. And we can have a good discussion and debate with some of the vendors represented.
With your slide deck, you'll be getting some links through to some of our research that is related to today's webinar topic. So have a look out for that when the slides come through. And just want to give you a quick overview of some of the services that we present at Keeping a Coal.
Obviously, the research, I just alluded to the research report that I've done. It's a leadership compass report that I've done on managed detection and response. We also do events and webinars, including today's event. And of course, we have an advisory team. So I will stop sharing there and we can go to a discussion just between the pair of us. And we can start looking at some of the questions.
And Tanya, the first question that I have here is shadow IT has been mentioned. How can you discover shadow IT, determine who has access and how it's being used? So does Slurry have that kind of facility to do that? Absolutely. I think that's one of the important items to discuss. Because detecting shadow IT and building a complete cohesive detection of shadow IT is extremely important. So the way that Slurry does it is by multiple different methods.
So you can essentially detect the shadow IT from expense management systems, wherein some, let's say one of the employees have actually gone and purchased certain applications from an expense systems, or you possibly be using certain systems itself, like connected some of these particular applications and logging on to them with single sign-on systems itself right now, like Google Workspace. It could also come down to scenarios itself, wherein we can also detect scenarios using your CASB systems itself right now. Slurry has its own agents where we'd be able to get this information from.
We also try to get this information from the other connected SaaS applications. For example, you've linked, let's say on Slurry, on Zoom itself, you possibly would have installed certain plugins. You'd be able to directly connect with SaaS applications like Zoom and understand what sort of plugins you've installed and what's the data that this plugin can actually have access to.
Again, building a consolidated discovery platform to discover all these shadow IT applications, understand who are the folks that are using them, understand what's the security risk of these applications, also understand how frequently they use these applications as well, and automatically classifying that, what sort of risk does this actually pose, is going to be something that Slurry does really well. One of the things that I discussed with you previously was that Slurry's approach is very much kind of a database approach. Can you maybe just talk a little bit about that?
Because rather than just making a guess at things, I quite like this whole idea that you're able to deliver data and say, well, from the data that we are collecting, we can deliver the following insights. Absolutely. So what Slurry does is, I think, it's a complete, again, as you write, it's a complete database approach itself.
So when you're possibly saying that someone's actually using this application, you'd want to have enough data to back that particular one, and more importantly, understand a lot more details around what sort of access, what sort of usage, what sort of scenarios itself that is going to use in these applications itself. So the idea here is to get that information across multiple different data points.
So again, all the ones that I've already mentioned, you're able to ingest all that particular data, process all that data itself, and then show that in the interface. It's saying, hey, these are so many shadow applications that's currently being used. We can get on a lot more details around saying, oh, someone's actually using, let's say, ChatGPT, for example. Who are the folks that are using ChatGPT? What time should they essentially have access to these particular things? What sort of data is essentially being shared with these applications?
So that granularity of the information and the data that's being presented is going to be extremely important to understand whether I can allow this application to be used inside the organization, or based on the risk that this application poses, can I restrict this application to be used inside the organization so that I can also notify the existing users of this application saying, hey, this is a restricted application right now. You cannot be using it anymore. And also keep a watch or automated alert.
So if someone's using this application in the future, you may be able to block or notify them to not use this application going forward. That's great, because that talks all to the points that we were making. We were both making around visibility. I think it's really important that organizations know exactly what's happening in their enterprise and across their estate. And having a handle on shadow IT, I think, is vitally important, especially in this day and age now when there seems to be a proliferation of it. I have another question here that's come up.
How can IT and security teams work together to implement the best IGA practices in a SaaS-first world? So, yeah, that's quite kind of a broad question, but interesting.
I think, again, it seems to speak to a lot of the things that we've been talking about today. I mean, things like centralizing identity management into a certain place is, I would say, one of the most important things that can be done. Absolutely, Roderick. And the way that we usually suggest to our clients is actually to kind of understand the ecosystem first.
So first, discover all the applications. Step one would be to understand what you have. As we discussed earlier, you can't partially manage or control anything that you don't see. Understand these particular systems first. And so pacify them into something that you want to manage. That's something that you're okay to let it be in the organization because they don't pose a lot of security risk. And also understand something else which is extremely risky. It's not restricted in your organization. So these strategies or these scenarios are different for every single organization.
So it's a combination of both IT and security teams to kind of come together and build this particular structure in the organization within these particular processes. And post that in terms of automating all these identity governance scenarios itself. So this is something that both the teams can actually work together to set up these policies on a platform like Story so that they both are in alignment about what needs to be used, how do you want to control the access, when do you want to give certain access to certain privileged users, when do you want to control those scenarios itself.
So this is a strategy that can actually work with both the teams itself and set it up so that everyone's actually understanding about what's these scenarios that you can actually allow certain applications and what scenarios that you can not allow certain applications as well. I don't want to mention the dreaded zero trust term. So I'd rather use the term continuous authentication. That's another kind of strategy that IT teams and security teams can implement. Can you just maybe just tell us how Leary supports this whole idea of continuous authentication? Absolutely right.
So the way that we usually suggest our clients also is to ensure that to go ahead with least privileged access it's a division work so that no one actually gets to have access itself at all the times. So that by default either no one has access to certain things so that you can actually have say zero standing access itself or at least ensure that people actually have a least privileged access so that they don't have control or privilege access and they don't privilege access to some of these particular systems itself.
And the moment that you need a privileged access as well right now based on the persona that you are, based on the person of the employee, you can set up certain automation policies itself saying if me I'm a marketing head itself I need to have access to an admin to admin access to a specific marketing tool. I can come ahead and request the access right now and get certain approvals either from the IT team so that you get the access only for certain hours or certain days itself and post that the access is automatically revoked.
In that way no one actually has standing access to the privileged access scenarios itself and you're continuously authenticating at multiple different levels so that you're ensuring that the access to sensitive systems or sensitive data itself is being continuously challenged by multiple people and you're also mentioning why do you need the access for this particular point in time.
So there's a reason and more importantly the automation of deproaching that scenario is also completely automated as well so that people don't have to forget that okay give access today six months later the users still have access because but the scenario was just just for a day. I think another important area that IT and security can collaborate is around regular access reviews and authorizations and stuff. I mean you've already spoken about that but it kind of ties in with the next question so I'll read that to you.
It says how can AI be leveraged to improve the efficiency and accuracy of access reviews? That's a very very interesting question right because typically what happens over here is that when I'm reviewing again so when I'm sitting in certain access reviews or audits right so I want to ensure that these particular access as the reviews are actually as fast as possible because it's a lot of manual work itself. I need to review thousands of user profiles. I need to understand whether these users need to have access to these systems itself. Is the access right to provision?
I need to be able to mention these particular details in a few minutes or maybe in a couple of seconds right now over there.
So that's where AI systems will really help because once you have a really good understanding about the person of the user itself once you understand his access user scenarios itself right now so what's really nice is when the access reviews are currently happening it takes into account all of these particular systems understand the persona understand the application understand what's the data that's currently being shared itself also looks at what's the goal what's the privilege of access that you currently have in these systems and starts to assume certain insights.
Have you seen this particular person hasn't used this application for more than 30 days so maybe you can actually review these users a little bit more detail. You've seen that these are the folks itself who are essentially abnormally have access to these privilege systems itself right now but typically they don't have access to privilege systems and the other ones maybe you'd want to review these ones itself.
So when you're reviewing thousands of users itself right now focusing on these specific users specific scenarios itself is going to drastically reduce time and also improve security itself so that you're not basically doing the access reviews and considering all these users on a similar level you're focusing extra time for these folks itself and for the rest of the folks you can just do a glance through and then give an access and approve the access certifications as well.
I think the application of AI in security as well is kind of very much along those lines where AI is able to take a whole lot of disparate pieces of information and put them together and form a pattern and form an analysis.
I think that's kind of where you know the limits of human capability are happening now and that's why when with access reviews there's just so much going on it's almost impossible for humans to keep track of that so that's where I think AI is going to really come into its own where it can look across the entire estate look at exactly what's happening and kind of just make those informed decisions on behalf of the human teams. Yeah so that's kind of very much in line with what we're seeing in security.
Here's again a very broad but I think interesting question it says how is the landscape of identity governance likely to evolve in the coming years? What's your take on that? In the coming years they're possibly going to be at least majorly three changes that we foresee. Number one is that we foresee that more and more SaaS applications are going to get used because companies are going to be opting more tools.
That means that you need to have a lot more better control and better management scenarios in all of these places that you're able to do access reviews for these particular systems on a lot more periodic nature. Let's move on. Number two access profiles of these particular systems itself are constantly evolving and they might not be essentially centrally authenticated so you need to have various identity controls itself so that you're able to authenticate the systems itself right now and more importantly certify that this user has right to possibly access this application really well.
So getting that information is crucial and more importantly to understand the usage of that particular person is also going to be important as well so if someone has access to a certain application and he's not using this particular application since about six months or let's say last three months or so then he possibly might not need the application itself right now and that's another you're trying to reduce your security profile as much as possible.
The third important one is I think we just spoke about that itself when you have to review thousands of users access itself right now the role of AI is going to be really helpful to ensure that you're able to reduce the amount of time to focus on let's say sensitive accounts risky accounts itself right now or possibly users who've left the organizations or any of these particular scenarios so that we have to focus on the few specific hundreds of accounts and ensure that you're able to take the right decisions over there because you possibly have to do this across multiple different applications and across multiple different people so that's called that's it's a typical in-crossing problem right now and that's where AI with all the data points that's going to be really helping you to reduce the amount of effort that you're going to be putting in.
So now another one of our flagship events is the European Identity and Cloud Conference and this year the focus was very much on decentralized identity and I think that's kind of what you were touching on there. The view seemed to be on the floor on the conference floor anywhere is that that's definitely the direction of travel are you seeing that more and more that organizations are experimenting with decentralized identity and not only internally but across organizations with partners and stuff like that?
Absolutely and that's something that we've constantly or that's an area which is which is already evolving and that's an area that we foresee that is going to gain traction a lot more in the upcoming years not only because it has certain challenges and also certain advantages as well but currently the advantages actually are a lot more better than the challenges that currently exist so the moment that we'll be able to overcome these particular challenges right now so you'll be able to use these decentralized systems a lot more better.
And yeah so the other thing I think in the evolution is that I mean we're going to see a lot more not only of kind of on-prem and what we're going to transition of on-prem but there's going to be sort of like hybrid working and working and also it's a working remote working and remote working from the office and then of course we've got to contend with cloud and multi-cloud so does it how does Viri support those kind of scenarios where it's kind of you know across across very different working areas?
Absolutely right and that's one of the points that I was actually that was making is that we start we we've actually started to see that the security landscape is actually moving away from the network sort of scenario itself to more as an identity approach earlier when it was completely on-prem everything was actually controlled the data that you have the access that you have everything was essentially centralized but the moment that's actually going towards multiple different identity systems multiple from SaaS applications itself it's completely fragmented and it's extremely difficult to control these particular set of access itself right now and that's going to get more and more fragmented with more and more applications that's being used inside the organization with different sort of risk profiles different sort of access profiles that's actually coming in which are pertaining to only specific applications it's extremely important to kind of have a sense about what sort of access is actually being shared by this application to that user so controlling that is only feasible when you have a very good discovery system which is all which is not underlying on the data that you currently have today but in fact is actually able to fetch the data from these systems itself and it's actually providing you an almost near real-time view of what what's currently happening in the usage landscape itself right now today so that you have a better control the data something that's constantly getting updated without any sort of manual interventions right thanks this is a topic that i think we could talk for for very much longer on but i see there are a few more questions and we're coming up very rapidly to the top of the hour um let's go for this question here do you provide visibility in what into what end users are sharing on these applications for example file metadata of what was uploaded by a user on dropbox um in some of these particular cases yes so it depends on what sort of applications are we talking about right now so in some of these particular cases yes it depends on uh if people are actually sharing certain sensitive content data of scenarios itself and we're able to have access to that particular data why the apis will be able to share that certain sensitive data is essentially being controlled across these particular users and so forth so that's something that we can do uh but just understanding about what sort of data is essentially being shared and should you again boiling down from the from the bottom it's a bit should this person be allowed to share any data itself if yes that's the level one level two what sort of data he could possibly share what sort of files can he share itself that's level two level three is going to be in these files is there any sort of sensitive content that's essentially being shared so we we we usually do this in multiple different levels depending on the application and depending on the available scenarios that the application provides right thank you very much indeed uh we could have carried on much longer but i see we're rapidly coming up to the top of the hour so i think all that remains for me is to thank all the participants today thank you so much for your questions thanks for interacting um oh we didn't have a look at the poll questions um perhaps we could do that very quickly um maybe just have a look at the poll questions um okay um what is the biggest challenge organizations face so uh ensuring security and compliance um so does that that kind of chime in with what what you're seeing uh chitanya absolutely and i think this is this is one of the major drivers itself that we've seen to ensure that that their identity perimeter is actually completely secure and you are staying compliant to certain scenarios itself so that you're not overshadowing certain things you're not kind of ensuring that the right people have access right set of systems this is very very important okay can we just flip through the other two results quickly so that people can see them okay um which tools and methodologies uh third party identity management platforms okay that's that's encouraging um that it's it's not that people are moving off manual processes and uh into our third poll question very quickly um what are the key factors uh security concerns okay so that's one of the big drivers so i guess no surprises there but nevertheless uh interesting so yes again thank you very much for your participation thanks for submitting your poll questions i will you'll be coming getting that information with your slide deck in the next day or so and thanks to you to tanya and barry for your participation today have a good day thanks you guys
