KuppingerCole Webinar recording
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
KuppingerCole Webinar recording
KuppingerCole Webinar recording
Good afternoon, latest gentleman or good morning or good evening, depending on the time zone. You're in welcome to our equipping, our cold webinar, best practices for business driven identity and access management. This webinar is supported by a Alexa. The speakers today are me, Martin, our founder and principal Analyst Analyst, a call and Deepak 10 CTO of Alexa. Before we start some, some few general information on housekeeping regarding this webinar. And then we will directly dive into the presentations. Copy. A call is Analyst company.
We are providing enterprise research advisory decision support and networking for it professionals through our research services, advisory services and events. Our main one is the European identity and cloud conference, which will be held again in May, 2013. So concretely May 14th, two seventeens in Munich. It's the lead conference around. So leadership best practice and digital identity management cloud and RC. And you definitely shouldn't miss this conference. Okay. I asked quickly shown that there's a lot of research available around the topic we are covering today.
I will show this slide later again, and like always the slide X will be available for download. So you can then download it and have a look at the number of the reports we have around the topic we are covering today and sort short, just a short selection of the most important ones targeted on this topic. Okay. Regarding the webinar itself, some guidelines you are muted centrally, so you don't have to mute or mute yourself. We are controlling these features. We are recording the webinar and the podcast recording will be available by tomorrow.
Questions and answers will be at the end, but you can ask questions at any time using the questions, section the go to webinar control panel at the right side of your screen, we will pick them usually at the end. In some cases we might pick a question for. So during the webinar, another important point for some of you might be that there's the opportunity to earn a CPE clients. So continuing professional education credits, we have several learning objectives, sorry.
I've missed update these objectives by the fact it's about understand what is through the target of, or what is, what are the opportunities of going forward this year, IM architecture for better business alignment. And why do you need to do these things even qualifies for one group internet based CPA. If you want this point, you have to take and pass the test. So following through the webinar, when your attendance has been confirmed, you will be sending email containing a link to the test and you can then take the test. And if you pass, you are automatically this CPE point.
So looking at the agenda there, like in most of our webinars, there's three parts. The first part, the presentation by me. So why business requirements and new concepts for identity and access management will be my main topic. And the second part then Deepak Deepak will talk about best practices, approaches that have been successful for global organizations and dive deeper into the topic I've been talking about.
After these two presentations, we will do a little bit of discussion between Deepak and me around some of these issues we've covered in our presentations before we then directly enter into the Q and a session. And like I said before, if there are any questions you, you have directly enter these questions, please, so that we have a comprehensive list of questions once we start our Q and a session. Okay. So let's directly start with, with the content part of it.
When you're looking at, at what happens today, then I think we are, we're in a phase of fundamental changes and a massive transition of it compared to what we have had before. And there's three major things we were observing, which are cloud computing, mobile computing, and social computing. And I think all of them are also important topics for your organizations and this, these changes have a lot of impact on our it, and there two very important ones. One is consumerization, which also means we have to deal with far more people than ever before.
And we also have to accept that let's say level of control central it departments have is decreasing. And the other thing is what we call theorization of it. So we are not in a situation anymore where we have sort of our close network, our corporate network, and only one or few points where someone can pass through the parameter. But we have a situation where people communicate outside of the corporate network, where many processes across the boundaries. And in this situation, we have to rethink the way we do it.
And other facts sort of all FD areas of it, including identity and access management. And one of the most important things that's close to this aspects of, of social computing, of in fact of consumerization. All the other things is one of the points is that we are facing something which I tend to call the identity explosion. So in former days we had mainly to deal with the employees, which is, might be a pretty big number, but it's, which usually is far lower number than our business partners or prospects leads customers and all the others we have to deal with.
So the number of identities we have to deal with in some way or another, and it starts with a Facebook login, goes to direct logins of customers, of partners, business processes with spam, this entire supply chain. So in that case, it's really about dealing with more people, dealing with an identity explosion, which makes things for identity, access management, more complex, it's sort of an continuum which we have here. So when it started to, to happen, we had centralized infrastructures, internal use only, but latest was the introduction of PC of things changed.
So the amount of control the central departments have decreased and we had more flexibility and more openness. Then the internet came up, we do did more and more business partner integration. So when we go back some, some 10, 15 years than a lot of B2B networks and marketplaces popped up and for sure business partner integration started in some areas much earlier. So if you're thinking about EI effect standards and other things, but overall, this became more and more important. And right now it's about even a tighter integration of the customer.
That's again, something which has to do with on one hand with this identity explosion, we have more and more identities identities to deal with. But the other thing is that we are also in a situation where we have half on one hand, let's say a little bit less control of central it departments. And on the other hand, we have more and more processes, which integrate not only our employees, but where others. So business partners, customers are directly involved in all of them are accessing the same applications, the same, same information we need to handle access control also for them.
So the, the need to share, which is a business requirement where we say, okay, we, we want to better support our business process. And this go beyond the parameter of our organization. This need to share, we are facing also means that we have to reach the way we are doing access management.
And that also leads to another point, which is, I think very important in the context of identity and access, which is context, sort of a new paradigm we are facing where traditionally, we had sort of a situation where we said, okay, with Martin Kuppinger, he has authenticated to his PC and the corporate network right now he's more or less allowed to do virtually everything today. That might be different because if someone accesses using his tablets, we are an unsecure mobile network. We might be much more reluctant regarding the information this persons allowed to use.
So we have to think about which information is used. How is it used is the, our syn, how good a CS syndication? So how dressy is it? What is the level of identity assurance or however you want to call it, which device is used, where is it used? Are there signs of fraud? So what's the last access was, let's say the PC five minutes ago from wireless land in the UK. And the next one is five minutes later. It appears to come from a table PC and it's from China. Then obviously there is fraud. So are there signs of fraud and all the other things.
And what we also have to do in this context, flat entity and access is to understand that it's not about black and white, but it's more sort of about, of CRA where we say, okay, some cases we trust more, not we trust less than we and our authentication authorization decisions are based in context. So things are getting increasingly complex in this environment and you could argue nothing new hear. And I would say yes, for sure, cloud computing is not that new SaaS is one part of cloud. Computing is out for quite a while. Mobile computing is not an extremely new topic.
If you look at social computing, even that is something which is not, not extremely new, however, some things are changing. And, and when we look at three things like outward facing processes. So the number of processes which go beyond the perimeter of our organization, if you look at the number of users we have to deal with, and we look, if you look at the number of external it services we are using. So cloud services, we are consuming, then all of them are related to some of the points I've managed before.
So consumerization, more users, social computing, outward facing processes, the deep parameterization thing, the mobile computing aspect, cloud computing with the external services. So today we are somewhere in the area of where this, all of these things are growing exponentially. And we are in an area where this, they are growing increasingly faster. So it's really the point where we go from a relatively flat evolution towards a very steep evolution. And so we have to change the way we deal with these things and our traditional siloed inwards facing tool centric.
It will not scale economically in a world which becomes more complex. And it also means, again, that we have to re rethink the way we are doing that team. And that includes, like I've said before, then includes, we have to re rethink the way we are doing identity and access management. And one of these areas, which is important in the context for and access management is this permanent pressure by auditors. So when we look at the reality, what is happening, the auditor comes in.
Whichever says we have some findings, you invest a lot of money, maybe switch to panic mode, depending on which auditor it is and how severe the findings were. You have it addressed, spend a lot of money. Your attention goes a little bit down. The auditor comes back or the next one comes new audit findings, new, and last month, you're sort of working to the auditors.
And, and what we should do better do is sort of having an approach, which allows us to say, we don't do tactical solutions for the audit findings, but we try to do it strategically and work to the business and avoid that. We are always in the pressure from audit findings. And if we do identity access management, right, then we can avoid a lot of audit findings with a well thought strategic investment over time. This will be much cheaper than always switching the depending mode, doing investments here, tool there, tool disintegrated all these things, and it's much better to do it that way.
So again, a reason. And that's one of the things we are seeing that we have to change the way I am is done. We have to think strategic, not tactical. So to sum it up.
In fact, when we, when we look at the dark gray area of this picture, that's sort of the traditional scope of information security. So we are more or less within our premise or maybe a private cloud, a little bit of sourcing. We are looking at internal uses and partners. We are looking at our classical devices, including the notebooks, but in future, we have more deployment models. We have more user populations to deal with. We have more types of devices.
And so this, this computing, cloud computing, social computing, mobile computing is changing this scope of information, security and information, access management. We have to react on this. And one of the important things we have to do when we react on this is not to try to invest in technology, technology technology, but to understand what is our purpose within it. And when business users look at it, they care not about a tea. They care about the eye.
They care about information management, about support for what they need to do with the information and what they really want to do is they for, or what they really want to have from it. Two main things. One is they want the services, they need to do their job the way they want to do their job, the way it proposes that they do their job. The other thing is that's has changed over the last 3, 4, 5 years. Massively business wants to keep corporate information protected adequately.
I think the role of information protection and information security and the perception beyond it has changed fundamentally. So when you go back, some years, situation typically was, so if something happened, you might have had a negative article on page seven of some computer magazines.
Right now, if you have a information leak, if you have some Mercer incidents, then you might end up being the opening news on TV in the evening. And that's what you really want to avoid. That means also that you, you have to recent not only your, your identity access management, but your let's say sort of entire structure of how you do ITM. We at keeping a call sometime ago, find what we call a future. It paradigm skyline for the future of it.
So how to structure it, to deal with all this development like clouds, how do you manage the cloud services and how do you decide on what is the best cloud service? And we will have a called webinar on this on Thursday, by the way, on how to select your cloud service provider. And within this picture, I won't go through every areas. But one important thing is the top layer is business service delivery, real delivering to the business, what the business needs.
And then we have to focus on service management, which is more around which service right take and on information management, how to manage information. And that includes which I have on left side, that includes information security. And on the right side, it also includes really the information governance part, which is goes beyond information security. So left side, it's more the, the it driven thing, it governance system, part of the entire enterprise governance thing.
There, there reports are, which are covered this much more in detail, but the, the main aspect is we have to change the way we do it. And it also means we have to re rethink the way we do, for example, at entity and access management and access management has to be something which delivers to the business. The services business needs, including approaches, which allow the business to manage information security in an appropriate way. That also includes that you recent your, it organizations moving away from silos towards an organization, which really fits to the picture I've shown before.
There's also a report out which we, which is called the future of it organization as another interesting document, you, you might have a look at it. So when looking at all these changes done upon the question on upon is what is the impact on IM what has to change? And I've picked some six important points, which I have to change. One is interfaces to the business user. It's about business users, not about administrators. It's about all users. That's the identity explosion thing. It's about all deployment models.
We have to do identity access management for hybrid world, where we have on premise services, where we have cloud services. We have to do it for all users in all the deploy models, for sure. So also the user, which never touches our corporate environment, but only access is cloud services has to be handled by our identity access manager. We have to do access management for this person. We have to do identity management for this person.
We have to do it for all devices, which also means managing access in the context we need standardized approaches and on risks, governments, information and access risks. So working to the business, not the auditor, that's again, this, this important point.
We, we have to do it in a consistent way across on that. Again, this point across all the users, all the deployment models, all the devices. And we also should move our governance from, for systems to services, information processes. So looking at the business processes, which information is used in business processes and which services are used by these business processes, not only having this frequently found very system centric view where you say, okay, what is the risk of the system?
No, it's not the risk of the system. It's the risk of information, which might be accessed by a lot of business processes. That's where you have to start. That's what you have to understand. And if you have new business processes, moving new users, then starting at a process is much more logical than looking at a system, which is far away from what the business is really interested in. So there are, there are a lot of changes.
And one of these areas, which I think is a very good starting point, high interest is the area of access governance, which is one of the areas, which, which allows us to support things in a much more business centric way. So we have our business users and business users want to do our, their access requests. They want to define their access policies from our business perspective, they might need to do access analytics and access risk. They might need to do recertification, and we need a layer, which is focused on them and not on administrators.
And on the other hand, we need something which allows us to integrate this increasingly complex world, where we have, might have some sort of legacy provisioning quotas, where we might have access governance, integrated provisioning capabilities, to some systems where we might need to deal with new types of provisioning, approaches, and systems towards the cloud. So things like the upcoming S cm or scheme standard, and all the other things where we need to interface to service request management systems and access governance can build a layer for example, which allows us to integrate there.
So when moving forward in our, our IM to better tackle the challenges we are facing, then access governance is a very important component within that. And it's one which allows us to sort of also integrate a lot of different things we have to do towards the cloud towards existing on premise environments and all the other things. So having said, this I'm done with my partner. I think there's a lot of things I could talk about during the session with respect to identity and access management in this changing world.
But I know that Deepak definitely will provide some additional, very valuable information on this will continue on what I've been talking about. So I hand over to Deepak and Deepak at zero turn right now. Hello everyone. Thanks Martin. So Martin did a great job. I think talking about the trends in computing and, and how the business is, is really becoming more and more important ideas, role isn't being diminished as much as ideas is being sort of rethought in terms of providing services to the business.
So I, I always like to say in, in some sense, everything we do in identity and access management is about the business. It's, it's it's. We have to think in terms of the business, getting what it needs to do, its job and the business, and satisfying the business in terms of making sure that information enterprise information sensitive information is, is protected. So what I'm gonna talk about is is, is a business driven identity and access management approach.
So this, this sort of picks up the access governance threat that, that Martin talked about and identity and access management has been around for a while. It's always been over the last couple decades, something that an area that that's been it centric or security centric, it's been handed off to deem inside an organization that is, that is technology oriented, that is security oriented. And as we'll discuss, and as Martin's already highlighted, we really have to think in terms of the business, cuz it's the business folks that have the context to make decisions about access.
It's the business folks that are looking for appropriate services. It's the business folks that need access to do their jobs. It's the business folks that need to worry about the, the, the business risks associated with, with how their data and how their information is protected.
So, so we'll talk about all those pieces and we'll talk about what the best practices are in terms of putting this business driven identity and access management approach in place. Okay.
So, you know, let's, let's just think about, you know, five key questions that, that the, the classic it centric identity and access management approaches could not answer. Right. And so if we, if we, if we think about this new business driven approach, it's gotta be able to deal with these five questions. So simple question who has access to what and how did they get it?
Well, it's, it's very, very hard with, with the typical identity management deployment to get an answer to that question. Second, do business managers understand what access they're approving and reviewing? So most organizations, you know, access is reviewed by business people on a periodic basis, but do they even understand what it is that they're, they're saying yes to, and, and in many, in many cases, you know, it doesn't the business folks, simply rubber stamp, the, the access reviews are the right people, making access decisions.
So are the people with the context to make a decision, the ones who are doing that, or are other folks simply saying, yes, give this person access or take that access away. How do you know whether access changes are being efficiently executed? Do they do changes simply go into a black hole or do changes take forever to get, to get implemented in the end?
How, how confident are you in the end as an organization that people are granted the access that's that's appropriate to their, to their jobs. They are they're, they've got what they need to do their jobs and that's it. Right? So five simple questions that the classic identity management solutions really couldn't handle that this business driven approach can.
So, so let's step back for a moment and, and look at the big picture, right? You've got, it's a complex world out there. Every organization is, is complicated. There's a lot of infrastructure, a lot of applications, a lot of data silos of identity management, directories, mainframes, SharePoint file shares, and so on. And now increasingly cloud applications, mobile applications. So the trend that Martin talked about in terms of social computing, cloud computing and mobile computing, is making all of this environment even more complicated, right?
And, and of course, it's the information security team. That's, that's supposed to get their arms around all of this, but, but they're feeling a lot of pressure from audit risk and compliance teams who are coming in with, you know, here are the regulations prove this prove that this control is being enforced.
You know, show me that, that your process, you know, deals with all of the key compliance controls that, that the organization cares about or security controls that the organization cares about. And of course, there's a lot of change there. So while there's the infrastructure is, is changing and new applications and data resources are getting onboarded and off boarded every day, the, the regulatory environment is changing as well. So there's, there's new controls that need to be supported.
While on the other side, there's the lines of business, you know, 3, 4, 5, 10 different lines of business, all of them with their own agendas, all of them with their own objectives around revenue or objectives to, to meet certain goals. And, and they're, they're hammering on that central team where, you know, give my people access. They need access.
Now my, you know, have someone starting Monday morning, make sure that he or she is productive, you know, the very first day and there's constant business changes, not just joiners movers and levers, but reorganizations, mergers acquisitions. So, you know, there's that team in the middle that really doesn't have the context and yet is, is, is saddled with, with this notion of, of making sure that that access is always appropriate and people get access immediately, so they can do their jobs, right. And their own, neither the people nor the application or data resources who owns the people.
Well, some people managers in the line of business who owns the, the applications and the data, again, someone in the lines of business. So, so you see that theme coming together about, it's really not about it or information security. It's about the business. They own the people, they own the apps, they own the data. They understand the, the business value associated with, with the information resources, and they have the context to make the decisions cuz they, they know what, what jobs people do. They know what their functional responsibilities are.
So let's, let's think about, look at the scale of this whole equation as well. You know, consider an organization with just 10,000 users and think about each user with 10 accounts, you know, to whether those accounts are, are applications specific accounts or they're directories that are being directory accounts that are being shared across applications, but then users with then accounts per user leads to a hundred thousand accounts.
And if each of these a hundred thousand accounts has a hundred granular entitlements associated it with it, which is, is not uncommon, that is, that adds up 10 million user entitlements. So, so now think about that, that last slide, which had all of the change and think about this 10 million user entitlement number. These are the bindings of users to entitlements at any point in time, this 10 million of these things and there's constant change. So for an organization to really get its arms around this is, is a difficult task without automation.
And think about the, the risk posture involved here because of these 10 millionaire user entitlements at any point in time, some are inappropriate and, and need to be remediated, right? So, so this is the, this is the overall challenge that, that the organizations are worried about. This is the complexity and, and scale equation that that has to be thought through.
And, and of course that notion of the business being the one that has to make the decisions, cuz they have the context is critical to all of this. So if you compare sort of traditional identity management with this, with this business driven approach, and we'll talk more about how to make this approach real, it's really, really important to think in terms of these four legs to this approach, first shifting decision, responsibility, decision making responsibility to the business. Why cuz the business has the context second centralizing identity and access context, right?
It's, it's very difficult to serve the needs of the business in a fragmented way. You, you need to be able to bring all of this information about who's out there, what's out there who has access to what, how do they have access to it into one place? And that's what we think of as the one brain that can provide that centralized context and that can provide an efficient, you know, efficiency across, across all of the resources third. And this is a critical point. We have to think in terms of processes, we, we cannot think in terms of tools, it's no longer about, about tools.
It's about enabling the appropriate business processes in the organization. You know, again, identity management is a complex area and a lot of folks sort of go off and engage in these identity management projects or they've at least done that in the past without thinking through the, the overall impact, the overall requirement, the, the overall context of a business process that involves multiple people within the lines of business, within the information security department, within the audit department, within the compliance department, we have to think in terms of business processes.
And if that means carving up identity and access management into a set of business processes where each business process does one thing well, and just that one thing, well, that's great because that makes it, it makes it easy to you sort of divide and conquer. You make sure that you're making progress on that. On that one area, you have the right goals there and those goals are measurable in the context of that process. And the last leg is about policies.
So we, we talked about those 10 million user entitlements trying to track 10 million user entitlements manually with all that change going on in an organization is virtually impossible. So you have to be able to think in terms of automating policies so that there's there's software, there's a system that's, that's making sure that the policies are enforced and, and that, that reduces the load dramatically on the business people cause we're talking about enabling business people to make decisions. So that's the modern approach.
And just contrasting that with the old traditional identity management, which was very much provisioning centric, bottom up it centric tool centric, the business context was inconsistent. There were silos all over the enterprise. The visibility was incomplete. A total cost of ownership was high because there was no context in terms of business processes. And there was a lack of scalability because everything was, was, was thought through piecemeal. And there was no question about dealing with the requirements for, for the cloud or requirements for data resources.
So, so, so that's sort of the contrast here in terms of the traditional approach and the more modern business driven approach. So let's now look at those business, that business driven approach in terms of the processes that I talked about, and this is a good way to think about analyzing identity and access management, using a business process approach where in each process the business is driving it's about the business, right? So let's look at that first process visibility and certification.
So this process is really about capturing the reality of, of an organization capturing the reality of identity and access in the organization and pulling that into a, into a model, getting that single unified view of who's out there, what's out there in terms of information, resources who has access to what identifying ownership, where, where ownership is unknown, which is typical when it comes to data resources, and then with all of this information, presenting that to the business and getting it, getting them to review it.
So establishing an automated process for visibility and certification is a great step in, in this overall pathway to business driven identity and access management. It, it provides that that overall holistic view of who has access to what in the organization and it cleans it up because business folks with the right context, whether they are supervisors who, who manage people or application owners or data owners, they get to look at that reality and they get to make decisions about whether to maintain that reality or change that reality.
So what, you know, what comes out of that first business process, the first time it unfolds in an organization could be anywhere from, you know, 10% of the entitlements to 40% of the entitlements getting, getting revoked. And that's all right, because it, you know, a lot of organizations have, have been rubber stamping, their access reviews. And so that cleans it up. So that's, that's, that's the first business process. That's really critical. The second business process we like to think of as policy management.
And this is where instead of people making all the decisions about who gets to have what entitlement it's about people with the right context, defining business policies about what is appropriate and, and how, who should have what so that the software or the system, the identity management system automates some of those decisions or at least, or at least highlights where, where those policies are not being met. A great example is segregation of duties, policies, right? So anyone who can submit invoices should not be able to approve them.
That's a simple example is, you know, if you think about all of the business processes in an organization, there's all kinds of sod as potential sod issues within each business process. And those can be captured in terms of policies that can be automated. Other compliance controls, whether they are, you know, PCI focused or HIPAA focused, there's all kinds of regulations out there in different verticals. There's defining policies that, that enable those controls to be tested is really important. And a lot of those controls are access related.
So, so this is all about, you know, creating business policies, instantiating business policies, inside a software system so that the system itself can watch and make sure that the appropriate people have the appropriate access. And if they don't can highlight that as a policy violation, joiners, movers, and levers, you know, every time someone joins an organization based on the functional responsibilities that they have, the appropriate access can be, can be given to that person. So that can be done on a policy basis. Right?
And so, so with levers, you know, on a policy basis, again, access can be taken away movers, you know, you can define business policies for how, when a person moves from one department to another, their access needs to be reviewed or their, their old access needs to be terminated or they're the new supervisor needs to do an access certification perhaps with help from the, the old supervisor. So, so this is about putting an overall policy management process in place.
The third, third process is about role and group abstractions and, and, and a process that makes that business view of access, which business people are dealing with in, in that first phase. And in that second phase and that policy phase making that business view simpler. So both roles and, and groups are all about simplifying access, simplifying the view of access that, that, that business people have, or it people have.
And, you know, oftentimes we don't think of groups that way, but, but really groups are, are very much like goals. They're either used as, you know, resource groups that are more sort of technical roles or application specific roles. Or there are global groups which are more like, like business roles. So it's it, you know, thinking about roles and groups in a consistent way is really important.
And of course, because it's a, you know, that business view of access and enabling the business folks is so important thinking about roles in groups, from a business perspective, thinking about what it is that will make that business view of access simpler is, is critical. And, and of course the first issue there is defining the appropriate roles. And to the extent that those groups exist, analyzing, analyzing those groups and cleaning up, cleaning up those groups, oftentimes organizations have 30, 4,000 thousand groups in, in their active directory system.
They don't even know what those groups are about. So, so this process is about the discovery and the definition of business roles, the cleanup of existing groups and, and the life cycle management of both roles and groups, roles become stale roles, need owners, owners, the owners of roles need to be able to, to track the value that roles are providing over time. So it's really important to think in terms of a complete process that does more than simply, you know, mining roles or popping out, you know, here's 500 roles that seem to make sense today.
It, it has to be about roles that capture business context roles that make sense in the organization roles that simplify the business view roles that have natural owners for them and roles that can be maintained over time. The fourth process is, is really about self-service for the business.
This is about enabling the business to, to now, with, with those policies in place, with the appropriate business, you have access in place to ask for access themselves and to get it without having to worry about how they're getting it without having to worry about all the different workflows or all the different approvals that need to occur in the background. So this is about an end-to-end process that enables the business to ask for access in a very, very simple way while enforcing the policies that we talked about in the second, in the second process, right?
And, and at the back end, orchestrating all of those changes across multiple target systems, whether they are on premises applications, or SAS applications in the cloud or data resources, whether it's structured data or unstructured data files, you know, access to file shares to SharePoint systems, all of that. And the great thing about thinking this process through is that ultimately it provides a system of record for who asked for what, who approved it. When did that, when did that access get provided?
If it didn't get provided in time, how was it, who was it escalated to and what happened then? So, so it provides not just the business folks with, with self-service, but it provides ID and audit with, with a system of record, to, to track what's going what's, what's happened in an audit trail and in all of this, of course, in all of these processes, there's, there's access changes that that need to be affected in the organization.
And, and so there's, there's a, there's another process that we like to think of as access change fulfillment, which is actually far simpler than, than what a lot of companies used to call provisioning, you know, in the past, and this, this process is about simply fulfilling the change requests that come out of the other process come out of the other processes.
And these changes can be fulfilled either simply by notifying the appropriate people of desks they need to do, or by creating help desk tickets, or by automatically through the appropriate protocols or APIs affecting those changes on the target system. So this is sort of a, a bad way to business driven identity and access management, and a great, a great way to, to think about going from, from the, the, the old traditional approaches to, to a, to a more business centric, business driven, top down approach to things.
And I'm gonna share with you for just a moment here, a vexa architecture that, that sort of matches pretty much that, that business driven approach that, that we just went through with, in the middle, as you can see that one brain that has all the context about people and resources, all the context about policies, it, it gets all that information from a security integration fabric player that, that, that collects data and, and, and makes changes to, to various endpoints.
And then above the database, you see all the business processes and, and how people interact with those business applications work looks to them like business applications in the context of those, those business processes. Very quickly. I wanna go through a case study of a large financial services company, a fortune 100 investment in retirement planning company that, that deployed AVAC to move forward with a business driven approach to identity and access management.
And you can see the value, the business value that they've gotten from, from that deployment, the amount of time that they've saved, you know, full-time employees, the reduction in full-time employees from five to 1.5 cycle times for, for certification going from 36 weeks to, to nine weeks, a much friendlier business user experience. You know, the business users are way happier than they used to be, and, and, you know, dramatically improved security and, and risk posture.
Just some statistics here in terms of how they used to review information earlier, you can see it's again, dramatically improved with vexa. The scale of the certification process is, is, is, is, is tremendously bigger. And you can see that there's 50,000 reviewers involved in, in their certification, in their certification cycle with over 500 concurrent reviewers coming in to do reviews at certain points in the certification cycle.
So, so this is what it means to deliver that business driven identity and access management approach with an enterprise class architecture that can capture the, the overall data model of an organization that can deal with both applications, as well as data resources that can deal with on premises applications, as well as cloud applications. That's, that's, that's scalable. And that has the right that comes with the right deployment methodology.
So that, so that time to time to value is, is, is quick. So in, in summary, you know, the traditional approaches to identity management, which were it, centric tool oriented have really failed today's enterprises require a modern business driven approach that, that delivers ownership, accountability, and enables the business that has the context to make the, make the appropriate decisions, QuickTime to value visibility across the whole enterprise.
You know, again, going back to Martin's presentation with the advent of the cloud and mobile applications, social computing, and so on, we're now talking about internet scale. It isn't, it isn't just, you know, a hundred or 500 applications inside the enterprise. We have to worry about organizations have to think much broader than that.
And, and lastly, identity context has to go across the security landscape. So it has to think, we have to be thinking in terms of providing our, our event management systems, our, our DLP deployments, and so on with the same business identity context that that's being used in our identity management solution.
And that, that, that, that's another, another key piece of what's going to be required as, as, as we move into this, this new age of, of mobile social and, and cloud computing. So go ahead.
Yeah, go ahead, Martin. Thank you, Deepak for your presentation. And I think that's also very, very concrete and, and complete information on how identity access management has to change in this context. And so I think we, we had a lot of information over there during the last 45 minutes. What I'm interested in in Deepak is, so when you look at your, so first of all, for, to the attendees, we have some time for questions. And I wanna ask you to enter your questions and to go to webinar control panel so that we can pick up your questions.
I, an interest in Q and a session at the end of this webinar at Deepak, what I, what I wanna understand from you is so, so you're engaged in a lot of projects. And so what I've talked about, what you've talked about is that services are deployed using different deployment models. And they are, I think, a little bit let's close or a little bit far away from the, on premise.
It, we have traditionally. So how many of your customers are there customers of you who are really starting to implement sort of an access governance approach, which spans everything for, for on premise to their cloud services is, You know, at this point we have a lot of customers who have at least a couple of applications, cloud applications that they think of as, as sensitive.
So, you know, we're, we're starting to see that go up fairly dramatically. I think two years ago, it, it would come up now and then last year started coming up frequently. And this year, just about every company that we talked to has, has at least a couple of applications that, that they think of as tier one.
So, you know, deployments that are starting now almost always include at least a couple of applications from the cloud. And I think that number is gonna increase.
So it is, and, and of course in many cases, what, what organizations want is for, for that cloud app to not just be plugged into the, the certification process. They also want that, that cloud app to be plugged into the, the life cycle management process, the access request process and the join removal legal process.
So it, it really is, you know, that distinction, you called it the deeper amateurization that distinction between cloud apps and, and on-premises apps is starting to, to fall away. People want one consistent holistic solution that works for everything. Okay. Yeah. And I think the, the next question, which is related to this is what about a user? So I think traditionally, if you're looking mainly at the, the employees and maybe some tightly coupled types of partners, but what about all these people who are, you know, less tiredly coupled?
I think it's sometimes it's easier to handle them, so you can classify, that's sort of that type of customer, but anyway, they have access, you have to, to, to manage them, you have to do access recertification, all the other things for what customers are allowed to do. What is the state that your customer base regarding this aspect?
Yeah, so, so occasionally we see organizations asking for the entitlements for their, for certain partners who are accessing certain applications for, for that to be part of this certification process. In many cases, the reviewers themselves then in those cases are also users at the partner side. So it is it, you know, the use cases are now broadening out from simply sort of tier one applications that employees access to applications that are accessed by business partners.
So, so it, and again, that's, that's, you know, a lot of that is, is as cloud computing takes on, you know, becomes more entrenched. We're gonna see more and more of that because there's these business partner networks where there's information, resources that aren't even inside the enterprise. Right. So we're gonna see that more and more, I think. Okay. The interesting is that's something I've touched. And I think that might be also an interesting point.
We, we quickly and again, to the attend is don't hesitate to enter your questions. I really would like to pick up your questions now for, to answer them. The other other thing I, I really like quickly to touch is when one of the things, when, when you, you remember the, the last slide I had was the access governance architecture thing with layered architecture. What we see at our advisory customers is increasing number who really think in this model who say, okay, we needed to integrate also existing provisioning tools due to many reasons.
And which also see this as part of a sometimes migration approach, which allows them to do face migration. So what is, what you, what is the state you observe to your customers?
Yeah, that's a really good question. We, we, you know, a lot of customers, a lot of folks that we engage with, a lot of organizations already have some software. They already have some level of provisioning deployment, whether it's homegrown or, or an off the shelf solution that they purchased many years ago.
And, and our, our approach is always to the extent that you've deployed something and you're getting value from it, continue to use it. And in fact, we, we, with our solution, we, we, we try to layer that over. What's already deployed so that the organization can get more value from their, from their existing provisioning deployment.
So it, our strategy is never a rip and replace unless the customer is very unhappy with what they already have in place in that layer. But, but what, what oftentimes organizations will say is, you know, our existing provisioning deployment is fine. It helps it's connected to 3, 4, 5 systems. And it has sort of a course grained view of what's happening to those systems. But we we'd like to extend that we'd like to get both a fine grained view into what's happening in those existing systems, as well as we wanna connect in an automated way.
We wanna automate change fulfillment to these 10, 15, 20 extra systems. And that is very hard or expensive for us to do with our existing provisioning deployment. Can we use of access, access, fulfillment express to, to fulfill changes to those, to those endpoints.
And, and so that's our approach to, to, to make it really easy to onboard new applications from a change, fulfillment perspective. Okay. We have here, another question I'd like to pick Richard is have you, have you experienced situations where getting a syndication and title and data from application teams leads to resistance and how do you deal with this? I think it's a, maybe a start quickly. I think it's pretty typical situation that it's, that you can end up in projects with situations where people are not very willing to participate at the end of the day.
It's about good organization, good processes, and especially lean approaches. So you can do such things like entitlement analyzes with sort of hundreds of consultants running around, or you can do it far leaner approaches. And I think it really depends on doing it right. Keeping the burden for the Christmas low and enabling them.
Deepak, what is your view on that question and your experience? Yeah.
Oh, I, I'm not sure. I understood the question. Was it about authentication entitlement or was it No, it was in fact I would say it was about all the type of entitlement.
So, so all this information you need to, to manage your, I am from a business perspective. So it's, it's always about, you have the business part here. You have the it part there. They have to work together. And sometimes we all know sometimes that works quite well. Sometimes it doesn't work that well. So what is your experience of that?
Yeah, so our, our experience is that it, it requires careful planning upfront when it comes to this business process approach to identity management. It's, it's very important to plan that process and think about who the actors are, who are the people who will take ownership and become accountable for, for which task. And if that is thought through upfront, then things work pretty well because you've, you've got, you know, you, you've got, you've got a team that knows exactly what, what jobs people will do.
And, and there's a way to measure that and the way a way to check in on that. And certainly our, our product allows allows for, for that to be tracked.
So, so it's a lot of it is in the planning we believe. Yeah.
And I, I would agree. And I think there's, there's another question which is more or less the same, I would say. How do you overcome department resistance to taking on this duty that has been traditional and it responsibility? I think it's really about clear assignments about distributing the workload across a lot of shoulders about understanding what is really business and what is it to define the interface as well between business and it, and, and if you enable business to do the things they know about and they really need, then they usually pretty willing to participate.
If you try to put too much on their table, which isn't their job, which is it, or if you do two technical, it won't work. Yeah, I would, I would agree. And a couple points I will add is make that business user experience really, really simple.
You know, if, if business, people are clear about what is expected of them and their user experience is such that they can come in, do what's expected of them and get out things will work well. And then, so that's one point. The second part point is try and use policies as much as possible, put less of a manual burden on, on, on, on, on the business. People try and use policies that that will, that will provide them with decision support. So what do I mean by that? A great example is if, if, if there's a segregation of duties, policy, that's defined in a certification.
If a manager is looking at a subordinates entitlement, and there's a, there's a red triangle next to that entitlement, which highlights the fact that this entitlement violates an sod policy, you've just made it much easier for the manager to click on click on the revoke button. Right? So providing the business people with a simple user experience and decision support is, is important. Okay. Thank you. So we are running out of time. I think we had a great webinar, interesting presentation for you, Deepak, a lot of questions and discussion.
So thank you to all the, the attendees and hope to have you be in another webinar soon. Thank you. And have a nice day or evening. Bye. Thanks Martin. Thank you all.