Welcome to our KuppingerCole Analysts webinar, Modernizing IGA, Identity Governance and Administration, a guide for IAM leaders. This webinar is supported by Savyint and the speakers today are Frank Schmaering, Senior Solutions Engineer at Savyint and me, Martin Kuppinger, I'm Principal Analyst at KuppingerCole Analysts. Before we start with the content of this webinar, a little bit of housekeeping in the first poll. So your audio is controlled centrally, nothing to do for you. Polls we will run two during the webinar, the first one right after this slide.
I'm always appreciating sort of a very active participation because the more people participate, the more valuable the data is. If time allows, we will discuss the results during Q&A. There's a Q&A section at the right side of the screen of the events tool. So if you have questions, you can enter them at any time. The more questions we have, the more lively the Q&A will be. So don't hesitate entering your questions. Last but not least, we are recording the webinar and we'll make both the recording and the presentation slide available within the next few days.
So this is basically the first poll. And as I said, I'm really interested in your feedback on that.
What is, to your perspective, the number one reason for IAM projects stalling or failing? Is it a lack of budget? Is it insufficient stakeholder management? Is it insufficient requirements gathering? Just running these things too technology focused, so just tool focused? Or is it a lack of proper expectation management? So what do you see as the most relevant reason for IAM projects stalling or failing? We'll leave the poll open in the events tool, as I've said, on the right-hand side of your screen for a few minutes.
So you can respond to the poll at any time while we continue with the webinar. So the first thing I look at is the agenda. So three parts, as usual. The first part, I'll look a bit at common mistakes in identity management projects, in particular in IGA projects, and how to avoid them. And this also goes into modernization aspects then already, when because we're talking at IGA and how to make this work and how to be really successful in modernization.
The second part then, Frank, we'll talk about the business case for modernizing IGA and part number three will be the Q&A session where we also will pick up the questions you end during the webinar. So when we look at identity and access management, then I think it's important to understand this is definitely something which is evolving, which is changing over time. And it's also interesting to see nowadays we see more and more talk about digital identity than just identity and access management. I think these are two rather different perspectives and different things.
At the end of the day, we still have this identity management, which is the core discipline of managing identities, the access and keeping things up and running, so to speak. But also when we look at the history, when it became so known, this discipline was really about administration. So some 20, 25 years ago, we talked about meta-directory services. Then about 20 years ago, we saw the first provisioning workflows. Then user experience became more and more important with single sign-on, with password management.
Before the Submarines-Oxley Act, I think it was back in 2008, added governance to the equation. So access requests and approvals, access reviews, but it was by far not the end of the story. When we look at all the stuff that came up since then, consumer identity and access management, CM, adaptive and now passwordless authentication, policy-based access controls, cloud infrastructure entitlement management, where it's about access entitlements for infrastructure as a service for sort of non-human accounts, non-carbon accounts. This is what is happening, and this is continuing to move.
Nowadays, identity and access management plays a very vital role for business enablement. So it's not just the technical management anymore. It's that digital service and digital transformation build on digital identities, and we can't be successful if we are not good enough in new applications, new types of users, not just workforce identity management for the legacy world anymore. It's already passed for a long time. We need to be also very agile because we see this digital service evolving. We need to be way more agile, way more flexible, and we have all the cybersecurity challenges.
And cybersecurity starts with identity management, and it fails when identity and access management fails. Because at the end, when you look at zero trust, the starting point is authentication, someone with a digital identity authenticating. This is where the entire journey starts. So this is the one side. The other side of the coin is IAM is not a trivial discipline. Projects tend to fail, and we need to think about how can we modernize things, but also what causes failure and how to deal with all that. And I put together some 10 common pitfalls in IAM projects.
You can read this, so to speak, positively or negatively. Negatively, it means then it's the pitfall part. We were not good enough in requirements gas rack. We didn't really understand where IAM, for instance, IGA must be not only now, but in a couple of years. Because we are running a project that will take a while and that must be good enough to be in place for a couple of years. So we need to understand about the future. Just looking at what did others in a successful manner in the past is not sufficient. This also goes to a model which I have further down. It's about stakeholders.
It's always cross-application, cross-organizational. We need to bring the stakeholders on board and manage their expectations. Don't overpromise. Have big wins, but also have quick wins. Things you can deliver fast to demonstrate you're on the right track. We need organization for the project and line organization. You need to have skills in place, either internally or externally, which is definitely not easy these days because there's a skills gap. There's this risk of technology overkill so that you say, okay, problem, tool, I throw the tool on the problem and it will work.
Rarely it works alone by technology. You need more. So don't focus on technology only. Specifically, by the way, in IGA. IGA is about a lot of concepts, policies, processes, maybe role models, all that stuff. A project like this is about change. The way people work, change. You need to set the right focus. You need to do it modern to make it, to have something which really is here for the next decade. And you need to be pragmatic in a lot of areas. Don't be too dogmatic on anything at the end, only then you will win. And there are a couple of key success factors. This relates very well.
So if you want to deliver on time, at budget, in quality, complete and distinct. Distinct means not doing the same things in a rather similar manner multiple times, but saying, okay, this is what I do for these capabilities. This is what I do for these capabilities. With little overlap. User-friendly and extensible. Then you need to understand the requirements also of the future. You need to plan. You need to have a budget, a plan, a project planning, everything. You need to have the people and processes and policies. And then you come to the tools and do this very thoroughly.
Understand what you really need, where your gaps are, what your operating model is, long lists, etc. These are things you need to do. You need to do these things when you do it the first time, but you also need to do it when you are about to change, when you're about to modernize.
And one of the things, for instance, we do frequently is working with customers through their portfolio and understand what they have and where the biggest pain points are and where they sort of can move forward, either the fastest way, so have a quick success, or where they have so big gaps that they must go, must concentrate on. It's helping really to understand what is the right sort of roadmap towards modern identity management.
And IGA, this is without any doubt, is one of the most complex, maybe the most complex area of this industry journey. So to be ready for modernization, it's about sort of, so to speak, creating IAM agility. And that requires a couple of factors. It requires an organization with the right people that are well educated. So you need an organization that is defined, that has the power for things that are identity management, and that has the right people in it. You need them to create a plan.
And I'll talk about the concept of the identity fabric, which we have developed back in 2019, and which has found widespread adoption since then. I'll talk about this model in a minute. So you need to have a to model the things, to architect, you need to plan the roadmap, but remain agile. Things are changing, new technologies are evolving, remain agile. To operate things done well, it means you need a target operating model where it's defined who does what, what is done by the provider, what is done by you, who is in charge of what.
And specifically around the sort of the interfaces between you and your, so you as a tenant and the provider, you need to be very clear about what is your, what is their responsibility. You need to build, you need to grow, you need to have a modern architecture to do so. You need to automate and deploy updates in an efficient manner. Only then you will be able really to have something that is modern for the for the future of identity management. And part of that, a very vital part of that is IGA.
IGA is when we look at the different pieces within identity management of the core discipline, it's the sort of the one which is most established. It means it's there for usually quite a couple of years. So it's frequently also the one which deserves most attention when it comes to modernization. And Frank will talk a lot about this in a couple of minutes. So what we propose is that you focus on what we call an identity fabric, which is a, it's a concept, which is a paradigm and taking an integrated perspective across identity management as a target model, as a target concept where you move to.
So with every modernization step across the identity management, like modernizing your IGA, you're making ideally a step towards this identity fabric as a comprehensive concept where different types of services integrate. Some of them come then usually in a sort of a converged way. So some vendors delivering a couple of capabilities, others filling the gaps. So to build something that is comprehensive and that serves your capability needs is a set of defined services built on a couple of tools to do what the job of identity management is.
The job of identity management at the end of the day is very simple. It's providing seamless yet secure and well-governed access for everyone and everything. This is the left-hand side of the graphic to, excuse me, every service and application. This is the right hand of the service. This is what it needs to do. That means it must support all types of identities beyond the workforce. It must have an identity API layer. This is a very important paradigm shift we are seeing. So part of what we do in identity management, yes, is we manage applications.
We create user accounts in Microsoft Active Directory. This is, so to speak, inside-out. It's the upper right edge of the graphic where we manage. But there's another element in which is outside-in, which is a digital service requests. For instance, that an account is created, that someone is also authorized for certain access. This requires APIs. This requires an API layer. We need to support the legacy IAM and transition it.
We need, this is the way to modernize. When we talk about modernization, we need to have a clearly defined model for where we want to end up with an integrated model of identity management where things fit into each other neatly, but which also helps us to gradually migrate from where we are, supporting the legacy applications as well as modern application sets. It should be SaaS-based and it should support SaaS. So it should be IDaaS and have good SaaS support, but also hybrid IT support. Only then we will be in a situation where we really have at the end of modern identity management.
This is about them having verified entities and access for zero trust, having a model that is really very powerful and very complete. It is about potentially a flexible deployment. So if this is a good modern architecture, so there are approaches which are just multi-tenant SaaS, which is fine if it's done right.
But for others, it should be something which allows you to work with a modern solution, which is flexible and updates, which means we're talking about APIs, we're talking about microservices as architectural paradigms deployed in containers or in different or in similar other modern forms. Because this allows us at the end of the day, a really flexible deployment and flexible operations, because we can change things. And the other thing, which I believe is important for a modernization journey, and this is, I think many of you have deployed IGA.
And I think many of you have had an experience that after a couple of years, you're running out of the standard. So you get in trouble with every update your vendor is providing due to all the customizations you have made, which is partially due to the architecture and related to that's to the way customizations frequently still are done.
To me, good customization means we, as encoding, means they don't happen within the tool. Well, and they must happen outside, they must happen in a well segregated manner.
This is, again, where we have API layer, exposing the APIs, the consistent manner, maybe even with some abstraction layer between the vendors APIs and what you are using, where you are building against. And what you do at the end is you say, okay, we have these APIs, they're exposed by the identity API layer. We create our new sort of customizations as own microservices, which may expose own APIs that are consumed by other microservices or orchestrate, integrate with our solutions. So this is really modern architecture, simply said, and a bit oversimplified.
But I think end of the day, this is an important piece in modernization, because I think one of the big challenges a lot, a lot, a lot of organizations are facing is that they're specifically their IGA became over-customized, and it's very hard to maintain. So this also means we need, in many cases, we need to modernize. And when we modernize, we must do it right. I touched a ton of points, and I hope some of them are really valuable to you.
So Frank, right now, we'll go much more detailed. Before we do so, I'd like to ask you one more question, one more poll here. And that question is about, do you already have a comprehensive blueprint and architecture for all of identity management?
So IGA, access management, PAM, all the other areas, play something like an identity fabric picture, where you say, this is the idea I'm following. So simple answer is yes, no. Looking forward to your responses. I personally believe, to sum up, that we need to think really more modern paradigms. And this should be the guideline we use for modernizing IIM, and in particular, IGA.
With that, I hand over to Frank, and he will talk about the business case for modernizing IGA, and he also will talk about, from his perspective, how to do it right. Thank you very much. I'm Frank Schmering, Senior Solutions Engineer, as Martin already indicated and mentioned at SAVIA. I'm talking today about the modernizing the IGA landscape, some key challenges that you might face, as well as getting the acceptance during the modernization project and program.
While concentrating on some key challenges that you might face already, a lot is being driven outside of the traditional parameter, which continues to erode. So the cloud, as organizations embrace more and more cloud-based architectures and solutions, as Martin mentioned, and there are some important challenges companies are facing. By embracing the cloud, organizations are no longer just on-prem, obviously.
You have on-prem, at least one cloud, probably more than that, like two or three, to avoid some kind of vendor lock-in, and you anyhow need to secure identities across these hybrid environments. Cloud adoption, the speed of cloud, is something totally different, what Martin already outlined, than having on-prem infrastructures.
Now, next to that, the amount of identities that you need to manage, the growth, as we've spoken already, Martin already spoke about it. There are more than just those human identities, there are those cabinet accounts, silicon identities, my external suppliers, the vendors, especially with the NIST 2 regulation kicking in, where you need to maintain also the security around those identity types. The next thing is the integration and adoption of the legacy systems that can't cover hybrid environments.
Existing on-prem IGA solutions lack the ability on dealing with the fast pace of the cloud adoption that you might have, as well as the cloud features and functionalities, which are now disjoint, increasing management issues and the costs associated to that. While those silo technologies also decrease the visibility, but increase certainly the risk around it. But just moving the infrastructure from on-prem to the cloud, while it removes some of those capital expenses of the books, doesn't mean that complex management functions will change. Ultimately, you're paying more.
Infrastructure management, additional solutions, upgrade costs, increased risks, and so on and so on. And we are now faced with silo data, with data and control spread across different systems, which makes it difficult to understand the true risk of my organization, especially with the Clouds Pro nowadays, the onboarding of additional SaaS applications on a common frequent basis. Hence why the identity fabrics approach is one of the fundamental paradigms that you can integrate on eliminating the challenges of the traditional identity approach.
Quite a lot of IGA related projects are lacking of adoption. Only few applications have been integrated, have been managed for the typical joinable believer processes.
Well, according to that, what Martin mentioned, the next phase was through the Savalins and Oxley regulation that excess requests, excess approvals, workflows, as well as excess readers have been kicked in. And nowadays, the rubber stamping is being used quite dramatically, which doesn't improve the security. But the result is an excessive permissioning in your entire ecosystem nowadays in the hybrid IT environment. And one of the main parts is a very, very poor user experience. Additional to that, there are a lot of reports also from Köppinger Co.,
which are referring to the IGA complexity, as well as the adoption to that. And while covering the next couple of minutes, talking about the IGA modernization approach, we'll get some clarity on the definition on ownership and responsibilities within the business, while also considering merging technology stacks, what Martin also discussed in his section to build certain agreements within the business, while then developing a roadmap for modern identity governance administration solutions, and making sure that you will track the success and ensuring that you'll meet certain KPIs.
And the most and majority information that you can need to have is what information do you need to manage? And do you need to govern? Human identities, selling identities, all those service accounts, IoT accounts, bot accounts, chatbots, those are getting more and more through the hybrid IT landscape.
Also, the external vendors, third parties, what COVID has shown, unfortunately, that there is a huge employee base who was working remotely. Those fashions needed to be integrated in the IGA landscape, cloud solutions have been adopted quite fast in order to accommodate the challenges and the requirements of the business. And the information and requirements on building agreement is towards the modernization of legacy IGA system, which requires definitely the buy in from a variety of different stakeholders internally.
Without it, identity professionals in your teams may turn internal allies into enemies. It is quite crucial with everyone from auditors, risk managers, resource owners, application owners, as well as end users to get a certain buy in. In order to be transparent with everyone. Since that you don't need to push ahead alone. This is then the result or might be a result to fail with the IGA modernization project.
Especially with those areas around the cloud infrastructures and the security around it, which requires additional integrations, performance, through the speed of cloud, in order to modernize maybe also the business activities through the IGA program. And what kind of critical capabilities are important across what Martin also mentioned, all identities that I need to govern and manage nowadays, the questions to be answered is who has access to what? Is the access being used appropriately? And what does the access secure?
What kind of target applications my users, my external identities, my business partners, my consumers are accessing? Typically, we ask this regulatory of our employee identities, but the same approach has to be applied on our supply chain, on our seasonal workers, any non-human identity, any business partnerships like resellers or agents, even the students or volunteers could have access to what we consider sensitive data. And that data could reset in multiple places, including on-premise apps, SaaS apps within the infrastructure access or data repositories.
The solution, modern IGA solution needs to address the full identity lifecycle, account lifecycle in the same manner that your legacy IGA system does. So you have to continuously make sure that you meet compliance regulations across the entire workforce in a way to consistently manage join and move and lever processes also towards those non-human identities. But now also considering the cloud infrastructure and more and more on-board cloud applications is shifting the security model and your agility to a new era.
Well, it's important for modernization projects to deliver a fast path roadmap, operate at the speed of cloud, what we just mentioned. Stakeholder buy-in is very important. The cloud has destroyed the separation from on-premise throughout legacy platform support, even hosted ones can't scale to support IGA across both landscapes, legacy IGA across both landscapes. Every roadmap is different from organization to organization. So the business dictates already a certain starting place. Additionally, scoping projects correctly by taking IGA maturity and other gaps into consideration.
Looking on the modernization not only consists out of the right tooling and a certain roadmap. It's all about the set, your initiative, the program that you want to go for, your innovation.
You have introduced a variety of different tech stacks within the organization towards identity governance administration, privileged account management, governance, risk, and compliance, supporting and handling the third-party access seats, as well as looking on data access governance related topics, where you are offering towards a variety of different personas and users, administrators, application owners, resource owners, external auditors, access keys to a variety of different target applications, which are then connected to your target applications throughout what you see on the right-hand side, SAP, AWS, Azure or Infra, and a variety of different other solutions using one particular connector towards each and every solution in order to see the risk, to get the right information to the right audience, to the right persona, while also modernizing your IGA landscape, try to merge tool sets in order to align to the identity fabric paradigm, in order to be innovative, where Savian can support with the tool set, the roadmap on tracking the successes throughout the IGA modernization project, to look constantly for enhancement to build on the new foundation, while modernization success is broadly defined, a few key metrics typically will have a real improvement on processes, as well as on cyber security paradigms, plan towards these, so that your migration implementation and deployment efforts lead to target outcomes, fast return on investment, tracking additionally successful mean, how quickly are you able to onboard new applications through the identity fabric paradigm, how many new services or capabilities were you able to introduce, how many applications were you able to onboard, did your audit findings decline or compliance posture improve, if so, by how much, depending on your operational use cases, also consider how significant was the reduction in the tickets, while performing the IGA modernization, the process issues are now eliminated, are they not, and with that Savian, the enterprise identity cloud is the solution for the IGA modernization, in order to streamline and adopt the identity fabrics approach, since you don't want to really spend the application onboarding within your IGA or IAM business, you want to delegate it into the business, into the department, where it does make sense, where you have those responsibilities and where you have the know-how in those departments, in order to integrate them on a fast scale, not only towards identity governance administration as a SaaS solution, driving the visibility, driving the governance, as well as the continuous compliance capabilities on that, making sure that all identities, all applications and all cloud platforms can be managed and governed in a proper way, as better the data is, as better decisions you can do to support the metrics and KPIs, in order to drive the success on the fast return of investment that you want to have, while modernizing your legacy IGA landscape.
What resource does the access really secure? Was the access being used appropriately? Those information can then be easily visualized while delivering the enterprise identity cloud within your organization. Thank you very much for the information provided. And with that, we directly move to the Q&A session.
So, you should see my screen again. And we already have quite a number of questions here.
So, a pretty long list, so we'll walk through the Q&A right now. And so, you also will see that you have the option to vote for questions, as well as you can enter questions, the Q&A section at the right hand side of the screen.
So, don't hesitate to add questions or to vote questions. So, I think let's take the first one I have here with a vote. And that is, with so many areas of IAM, why should modernization start with IGA?
Frank, do you want to start? Sure. Why? Because cloud adoption, especially IGA, was introduced for human identities, for my employees, for my workforce. And nowadays, with the given permission within an on-prem ecosystem, we have the cloud adoption. Additional workloads that are being introduced, additional SaaS applications, which are continuously being introduced into the business, requires a different approach on dealing with the authorization security system within those SaaS applications towards profiles, as well as roads within those particular target applications.
Have a look, for example, on Salesforce on the fine granularity on the different permissions that you can set. And in order to support those security systems and to manage those in an appropriate way on really getting to the security-related question, who has access to what, and is that access being used appropriately, requires the fine-grained know-how on the security system where those modern IGA systems know of based on the connectors, based on the integration and approach.
Well, you perform quite a lot of development on legacy IGA systems on getting those security systems implemented and being visualized. And as more and more SaaS applications are being introduced, as more development work you need to put in place, you need to do in order to start really those target application integrations, especially SaaS applications. Yeah. Okay. And to let me add to this, I think, yeah, the requirements have changed and we are living in a hybrid world. We need to support hybrid scenarios. We have a clear tendency to shift towards IDaaS.
That's something we observe in the maturity of organizations. And the other part of that is that IGA really, to my experience, is the part of identity management, which is, I talked a bit about being over-customized, hard to maintain, and due to all the customizations, et cetera. And I think you brought this up also frequently, still not being where it intended to be regarding the number of applications connected, et cetera. So this is a logical starting point, even while it's not an easy one. But maybe let's look at the next question.
Frank, you've talked about operate at the speed of cloud. So how to make this work? So what does it need? Is it only the architecture and the customization approach I talked about, or is it more like the right organization and other things? Not only the right organization, the amount of SaaS applications that are being currently introduced into organizations are quite dramatic. In the legacy world, new applications are being sunsetted, introduced with a certain project aligned to it.
Also, the solution application upgrades could have been planned in a proper way. Well, nowadays with cloud applications, they are being updated frequently. Go ahead. The business requires the target applications, new SaaS applications to be right away used. We have still identity access management, as you know, is required immediately. And that is the speed of cloud, the speed of requirements from the business in order to provide the real business outcome on that. Yeah. I think that is what you bring up, the application onboarding approach, for instance, is a very central one.
So I think we need to be significantly more agile in onboarding and offboarding applications than we ever have been, even while we also need to still get better in many cases in onboarding, offboarding, the legacy and the traditional applications. But I think that is a very important element. The one I would like to add beyond application onboarding, and ideally an application onboarding, by the way, that is integrated across IGA access management, PAM, so that if there's a new service, it's onboarded everywhere in a consistent process.
I think the other thing is really an organization and processes that are built for change. So effectively, a process should be very resilient, but it must be defined in a way that it not always breaks when something changes. So we need to be really smart in these areas and really look at a more agile type of also running projects.
But still, I think good agility always means you have a frame, you have a structure in which you do that. It's not chaotic. It's very well structured and managed, but we need to be more agile on that. Okay. Let's look at further questions there. A lot of questions coming in. Okay. Next one. Business requirements are getting more and more complex and seem to force IAM vendors to build features, even while these sometimes are not ideal.
So an internal assignee, for instance, sometimes needs to have multiple personas in IGA because you might have people that are working for different entities that have different roles that are maybe internal, external. My favorite example always is insurance company where you can be an employee, a freelance broker, and a customer. Very different personas. So are you seeing also this growth in requirements and how do you deal with this? Can you support things like that, like for instance, complex persona models? Absolutely.
That is a quite common topic also with modern IGA solution to support a multi-user, multi-persona model where you have you, Martin, as a human identity resulting in 50% of the work stream as a director and 50% as an analyst while you might fear some risks. So we do support it, covering the association, the management of dedicated managers, depending on the contract, which results in either one or multiple accounts for the necessary permissions according to your contracts that you own. And not only with one or two contracts that you might own, but with a variety of different contexts.
Absolutely. Yeah. The good thing is I don't have an active management role anymore. I'm trusted analyst, so to speak. So it's got a bit easier for me, but I fully get your point.
And yes, I think this is something which is not new because it has been there, but it's complex to handle. And I think we need to understand these things, which again goes back to it's not just a tool. We need to understand really just the reality, the complexities, but also need to be pragmatic. So sometimes there are things we better handle pragmatically than trying to find a perfect solution. So it's always a good balance. Next question I have here.
Before we go to that question, maybe we look at the results of the first poll, which gives you then the audience a bit more time to vote for questions in the meantime. So the poll should display in a second. I may need to stop my presentation for that.
Yeah, here we go. So it was about the number one reason for IAM projects stalling or failing. And it were not that few people coming, but it also shows that there's really a lot of things that can make an IAM project and specifically an IGA project fail. So it would definitely look a bit nicer when one or two people less or more have voted because when you're about, I think there were some 40 plus people responding to the polls, so quite a number. But stakeholder management, very much on top. Requirements gathering. That's something I really frequently observe that things are not done well.
I've seen so many scenarios even where really apples and oranges and other types of fruits have been compared because it was not clear what do we need. And expectation management, yes.
And again, that's something where I just can say, not only sink in big wins. This is important. At the end, you need to succeed. You need to bring things forward. But also think about the quick wins. The things you can demonstrate quickly because when you're in a project one year and nothing is visible, you will get the question of where has the money gone. The next question I have here is about, oh yeah, a wonderful one.
Would you recommend rip and replace of a legacy solution, legacy IGA solution, or coexistence of your legacy IGA solution, at least for a certain period, alongside a modern identity solution? You may have different opinions here. It's certainly, but rip and replace wasn't a good idea at all in every, well, since the last decades.
What our digital, well, what our modernization approach is that the Sagent does offer MVPs, minimal viable products, concentrating on the integration of an authoritative source, five target applications, to also provide a return, a fast return on investment towards the management since you need to show where you're spending money or where this entire modernization program is heading to. And sunsetting five applications, going live with five applications throughout the modernization, well done later on.
Sunsetting more and more applications in the legacy IGA solution and introducing that into the Sagent solution modern approach is the far better option. I know that there is a certain coexistence of the legacy solution for a certain time. But from the maturity level, as you've seen that just a couple of applications have been integrated at all. And those legacy solutions, they are in quotes, fast adopted, fast migrated to the modern approach.
Yeah, I agree and I disagree a bit. So I agree with there will be usually a period of coexistence. So this big bang, rip and replace approach is also usually too big of a risk. I think it depends very much on which applications do you have onboarded. There are applications you, and it also depends on what is the lifetime of these applications. So imagine you still have a Lotus or HCL notes and you're still about to retire it. It probably doesn't make much sense to onboard it again to a new modern IGA solution. Imagine you say, I have still a mainframe, but I'm in the process of retiring.
If you are, same story here. Others like SAP, like Active Directory, Azure Active Directory, are the logical ones to move relatively quickly to the modern solution. But there might be a situation where you say, okay, I have a couple of things which are really extremely difficult to migrate. One of the standard questions we have in our leadership compass documents on this IGA space and for identity fabrics is, do you support as an IGA or identity fabrics provider, do you support standard interfaces to other IGA solutions?
So can you, so to speak, use the IGA solution, the legacy thing as a sort of a target system, which then acts and sort of, so to speak, becomes more and more dumb in quotas. So the workflows, the process all run in the model solution, but it's just used for pass through provisioning, so to speak, to the targets. This can be something which is an interesting option. It's finally even in the identity fabric picture at the lower left side. So this definitely can be something.
So again, be pragmatic here, be realistic and think about what you get and whatnot, but also have a clear plan to onboard the stuff in a way better way, more and deeper integrated than you did in the past. So, and this is, by the way, something, there's another question coming in around application onboarding. What are best practices? And I think we touched the application onboarding a couple of times. So what are best practices for if you have hundreds or thousands of applications to onboard?
To me, aside of what I already mentioned, I mentioned, think about having an onboarding that is IGA plus access management plus PAM and maybe more. So not three disparate onboarding processes because then things are more likely to break. The other thing is think in patterns because at the end of the day, there are some very common patterns for integrating. For modern applications, we talk about SCIM as a protocol plus maybe extensions. We talk about modern and more traditional web services for integration. We may have CLI, command line interface. We may have LDAP, AD, AAD.
We have a few specific things, SAP with their own world, but at the end of the day, we probably will end up with a very low number of common patterns. It's maybe a bit above 10, maybe a bit below 10. These are the main patterns and 90 plus percent of the applications will fit into the patterns. And if you define these patterns well on how to handle that, then you will be way more efficient. By the way, if you end up with 55 patterns, then go back to the term pragmatic. But this is, for me, essential to speed up things. Look also at standards.
Sure, SCIM is very helpful. Frank, you surely also have to add some of your experience and best practices here. Couldn't have said it better, Martin, but delegating application onboarding to the right audience, to the people who have the right know-how into the respective departments, in order to talk in a more technical fashion. Those patterns are real, pragmatic and good.
However, when it comes down to the security system of each and every target application, this requires a special know-how from those application owners and resource owners. While then concentrating on the alignment towards the privileged access management or identity provider integration. Yeah. So there are things that are challenging things, but patterns, I believe patterns help a lot because don't reinvent the wheel with five edges every time. Better try to make one good wheel as a pattern, so to speak, where you have really everything defined. How do you do it? What to look at?
How to deal with specifics, et cetera. And then you can have applications that even can help when you have an architectural gate or a procurement gate for applications to provide sort of rapidly back information about, okay, if you go for that application, it fits into a pattern or it will cause extra cost. Even these things can be done if you do it right. And that helps specifically in large organizations, but not only in large organizations.
We have only a few minutes left, but by the way, the question about the second poll, which was about, do you have a blueprint in place, which really covers IM as a whole? It was close to 70% saying no. And just a little bit above 30% saying yes. So some hard work to do. Work on that. You need it. It helps a lot because it helps you building your roadmap, focus your investments, understand how things must fit together. So don't miss to do that.
And also look at what is your sort of, what are your very few one to three core building blocks for such a fabric, which you then can compliment with the very special types of things. I think we pick one more question. And for questions we couldn't pick, I'm quite sure that Frank can follow up directly on these questions. So the one I'd like to pick is just trying to find it. So many of these. Due to many developments and techniques, laws, environmental changes, changes of threats, what should be the ideal life cycle of IM at this moment?
So is it review and define an IM vision, analyze where you stand, take actions, audit or review that, and then review and define your IM vision? I would say yes, because I believe it really makes a lot of sense. This helps when you have a blueprint, where you say, okay, I check where I stand regularly, maybe once a year. And then I refine, I look at what has changed. What do I need to do? So do this really consistently as a standardized process. This definitely makes sense because there's always evolution. And every year, there are new technologies out there. There are new things happening.
And there are changes in the landscape. So this would be my point would be, or my answer would be yes.
Frank, anything from your end? Definitely. Since introducing applications, handsetting applications is a huge organization, a frequent approach, right? As well as not only introducing new applications and managing the existing applications, risks and requirements based on regulations, security regulations, compliance regulations are shifting and changing frequently. So which requires attention.
And there are your reports from the analysts concentrating on integrating, leveraging artificial intelligence, machine learning capabilities, alongside with identity governance, administration solutions, where Savion does support it natively with the enterprise identity cloud in order to accommodate those risks and the application management at all. Okay, great. So we are unfortunately running out of time. So we would have more questions, but I'm just unable to respond to all of them.
With that, it's time to say thank you. Thank you to you, Frank, for all your input. Thank you to Savion for supporting this Google Analysts webinar. Thank you for everyone participating in the webinar, asking questions, responding to the polls, being interested. Hope to have you back soon for one of our other upcoming webinars or events. Hopefully I'll see you in person early June in Berlin for EIC. Thank you.