KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Well, good afternoon, everyone, or good morning, depending upon where you are in the world. And welcome to this KuppingerCole webinar access governance in a cloudy environment. The speakers today are myself, Mike Small, and I'm an Analyst Analyst with KuppingerCole. And the second speaker will be Amitha. Who's the chief operating officer for Sian and a little bit about copping Cole. Copping Cole is an industry Analyst, and we provide a number of services which include research advisory and events.
And our keynote event every year is the European identity and cloud conference, which is held in Munich. And next year it will be from may the 10th to may the 16th. So put that in your diary and make sure you come along to that. So this webinar, the basic guidelines are that all of the audience, the participants are muted centrally. You don't have to mute yourself. The organizers will control the mute and unmute the webinar is being recorded, and you will be able to see or hear a recording tomorrow.
And you can ask questions at any time using the, the, the menu part of the form that is part of the go to webinar that's on your screen. And we will try to pick these questions up at the end, or sometimes if appropriate during the webinar. So this webinar is in two parts. And the first part I will describe basically the environment in which access governance remains a critical factor to managing risk. And one of the issues that has arisen around access governance is how you apply that to the increasingly used cloud services.
And in part two, Amit will describe savvy approach to access governance and how savvy into office, an integrated platform to manage risks across data, applications, and infrastructure. So to start today's businesses, today's organizations, we believe need to have a high degree of agility, and not only that, but the today's business is what we call the agile business connected. And they are connected to their associates, to their employees, to their suppliers, their partners, and above all their customers.
And this agility, this use of things like the cloud and so forth together with this connectedness is posing new sets of problems. But to see some of the, the benefits that you get from this, that there is a UK TV channel that will identify the kinds of people, the demographic data about the people that are watching a program whilst the program is on air, using information from social media feeds and other sources in order to be able to sell advertising that is targeted on the fly during the program. And this is the kind of thing that we see from organizations that are fully exploiting.
The opportunities that the new technologies are bringing, however, information security, it remains the critical enabler for this, because the more that you open up your it systems to these different sources of connections, the more that the problem of security becomes. And so you find that access governance is fundamental to information security. It's fundamental to enabling the agility. It's fundamental to mitigating risk.
It's, it's fundamental to achieving compliance as well as saving costs and improving communications internally. Now, many people are so, so what, what is the, what is the problem? And the problem is that this new, these new it service models like cloud introduce new challenges. And in copping coal, we have done a lot of research on the challenges that the cloud brings and of these, there are five top challenges that we see now, things like lock in and legal risk. Aren't really available relevant to this, but compliance and cybersecurity are really, really relevant to access governance.
And so that's what if you will, we are going to focus on today, the two top risks of compliance and cybersecurity, which come from the use of the cloud. Now, many people believe that when they use the cloud, that they hand over all of the responsibilities to the cloud service provider, unfortunately that is not the case. And in particular, your organization, the organization that is the customer using the cloud remains responsible for compliance.
And to give you a very quick overview of how responsibilities are divided between the provider and the customer, that for infrastructure as a service, the provider is only responsible for, for the infrastructure. That is to say the, the actual building and the, the servers upon which the system runs up to perhaps the hypervisor level and the customer is responsible for the operating system, the application, the data.
And of course, all of the things to do with managing identity and access with software as a service, the customer, I is in fact, still responsible for the data under, under most of the legal regimes, the customer who is in Europe, the data controller remains responsible for the data held in that service and who can access it. So the tenant retains responsibility for those areas that are around identity and access governance.
Now, not only that, but identity and access control is really the new perimeter, because what, what is happening is that in, in order to get to these applications and this data, all of these different categories of people need access.
And so the, the need for access has expanded because you are now letting these external people, these suppliers, these partners, and these customers into your systems in order to do business with them, or for them to provide you with services, and you still remain responsible for risk and compliance that the cloud and bring your own device in particular adds to these problems and cyber crime. The cyber criminals can now use your openness in order to get closer to the things that they would like to steal.
So when we look at how access technologies have changed in the past, the problem was really seen as being how to control access by employees and associates to the data and applications, and the four things that you can see. The four A's, the authentication authorization administration and audit was entirely internal and was related entirely to internal customers.
Now, no, because we need to enable access. We actually have to let in external people into this. And so in order to understand what is happening, we need to be able to use the data from this application, legitimate access to integrate with real time security intelligence, to detect whether or not there are problems, whether there are cyber attacks and whether or not you are being breached.
Now at the same time as this, from a perspective of governance, there is an increase in complexity around the problem of managing entitlements and a very simple minded view of, of this, which is where things started off with role management and role based access control was to say that as long as you knew what somebody somebody's role was, then you could determine what they could do. And as long as you could see someone was only in that role, then everything was fine.
Well, in fact, it's not quite as simple as that, first of all, that a role is part of the problem, but other other dimensions, like for example, geography are also an issue so that the actual location of a person may also determine certain things related to compliance over what she is she is or he's allowed to do. Now, people also have multiple roles the time when, you know, one person, one job as long gone, most people in most organizations before many tusks.
And in this particular case, I've given the I, the notion that many people who have some kind of line management responsibility are also in a way related to marketing and may have social media accounts or blogs that they run on behalf of the business. So they also need that kind of access. And then finally there is this problem of dynamic entitlements, where the, the fact that Alexei is a manager would normally allow her to approve Bob's expenses. But depending upon the circumstances, there may be occasions when she's not allowed to do that.
And a fairly typical occasion is that you are not usually allowed as a manager to approve the expenses of someone who has bought something for you. So if your employee, if you subordinate takes you out to dinner, you can't then approve the bar bill. So those are the complexities that an access governance technology needs to be able to cope with. Furthermore, the notion of authentication, which used to simply be that you had a username and password for an internal employee was based on the notion of a fixed view of risk.
Well, that is no longer the case. What you have is you have the fact that employees are mobile and they may be doing things from different places. And depending upon where, and when they try to do things, the, the, the risk may be perceived to have increased. So what you actually need is adapting authentication and adaptive access management. And this notion of this risk based authentication is another area that it needs to be subject to governments.
And finally, there is the increasing use of third party identity providers, trusted identity providers to identify customers and partners through things like Federation and open ID. So all of those things are adding to the complexity. And then not only that, there was a time when the perception was that cybersecurity was about antivirus and it was about network perimeter protection.
Well, cybercriminals, don't try to break through the perimeter. Now what they do is they use the legitimate roots in, and the only way that you can tell that they are in is in fact by detecting abnormal use of what they do. And an interesting case in point was where a data breach was detected by a librarian who noticed that a director of the company was starting to access a lot of the intellectual property documents that the librarian was responsible for. And the librarian was very keen on his job. So he phoned the director up and said, I see you are accessing a lot of stuff.
Maybe I can help you to, which of course the librarian rep the, the, the director replied are not, I don't know how to, and what had happened is that the cyber criminals had found a way of getting hold of this guy's credentials and were using effectively legitimate credentials to exfiltrate and the intellectual property of the company. And you can only detect that kind of stuff by understanding what is normal behavior.
And that normal behavior is determined by seeing the information that is collected by the identity and access management blogs, and that needs to be compared with what people are entitled to do and what they normally do. So when we look at governance, there's a lot of people don't understand exactly what governance means. And I go for the C definition of governance, which is that governance is something which sets business objectives as opposed to actually implementing things.
And so you can see that in the COVID definition, governance relates business objectives to directions that the company should follow. And then monitors that those directives have been followed and management is about the whole process of planning, acquiring building, using, and assuring things. And so governance sets above the, the layer of, of, of, of implementation, if you will.
So in order to be able to manage and measure governance against business goals, you need to be able to relate the details of what your policies and what your, what, what your measures are in order to those business goals. So it, it is not a business goal to prevent certain people from accessing anything. What you have to do is to be able to say a business goal is something like my requirement is to conform with EU privacy legislation.
Therefore, personally, identifiable data should only be accessed for the purpose for which it was collected. And so we can't allow employees at random to access this. They're only allowed to access it for the specified purposes. And this is true throughout a number of cases. For example, in healthcare, it is the same that you, you know, there is a problem in healthcare in that the emergency room may need access to the complete patient records. But that doesn't mean to say that the people in the emergency room should spend their time looking at people's patient records.
So you have to be able to relate these things back to this kind of a business goal. And that looks at the three things of the user risks, the entitlement risks and the assignment risks.
Now, one of the other advantages of identity and access governance is a simplified access management process. And one of, one of the, the problems in the past has been that the auditor will turn up and say, I want to understand what access a certain person has and what accesses they've been making.
Now, if in fact, all you had were the equivalent of logs from rack or from some system, then there is a great deal of translation that is involved in, in doing that. If a line of business manager needs to be able to say that his, his subordinate has the access that he's required, he thinks in business terms, not in terms of the technicalities of how, of how to control access to individual systems.
So a good identity and access governance technology helps this communication by simplifying the way in which this communications takes place and reduces the onerous amount of process that is involved in setting entitlements in monitoring entitlements, in testing entitlements, and in auditing entitlements.
And in terms of compliance, compliance is the most common reason why organizations take an interest in access governance is usually because either they failed compliance or they have an auditor breathing down their neck and cost effective compliance needs to understand the real access rights that people require. And a lot of it organizations have taken a very theoretical view of them, of this and have created complicated role structures or entitlement structures that really are over the top and nobody can understand them.
And so one way that can help to reduce costs is if identity and access governance tools can tell you, what is actually going on, can can say, this is what is normal behavior. So that by exploiting this knowledge of no normal behavior, you can more cost effectively implement the controls that are really needed in order to detect abnormal behavior. And in order to protect critical resources from abuse. So ultimately this is all about managing risk and compliance, and that is about managing risk in terms of reducing its impact and probability.
And the thing that identity and access governance can do is to help you to reduce this by understanding normal behavior, by being able to detect abnormal behavior. And by being able to detect these things both when they occur through external attack and through internal misuse, as well as mistake.
And in order to get this improved security intelligence that we've been talking about, you really have to be able to take out the intelligence, the, the, the big data that, that comes from the logs of what people are entitled to, what normal behavior of people in those roles are and how individuals are operating both against past norms, as well as shall we say, norms of their peers. So being able to detect a cyber attack in the 21st century is more about being able to understand what is happening with your legitimate users than it is about people trying to break down your firewalls.
So what we are saying as a result of this is that the agile connected business needs access governance in order to manage risk and to achieve compliance in a cost effective way. So access governance is fundamental to information security, and it enables agility as well as in innovation. It enables cost cost saving through the exploitation of modern technologies like the cloud, as well as automation of some of the costly processes, which were previously necessary. It provides you a way of knowing that you are managing risks and obtaining compliance in a cost effective way.
So that is my presentation. And I'm now going to hand over to Amit Saha, who is going to describe S's approach to access governance. So over to you side, Thanks, Mike. Hopefully my screen is visible to everyone. Good morning, and good afternoon to folks who have joined the webinar today.
So, Mike, I liked what you said. I GT and access management is the new parameter when it comes to cloud. So what we have seen is many organizations are adopting cloud in a big way today. And depending on the type of cloud infrastructure or the platform providers that you are selecting, I'm pretty certain, a lot of these questions are going through your mind in terms of how do I secure my sensitive assets on cloud, who are the, my privileged users on cloud and what are they doing with my sensitive assets, whether it's in terms of data or workloads that are sitting out there on Azure or Amazon.
So one of the key things that we have observed is that, you know, many, a times cloud initiatives are led by separate teams within an enterprise. And traditionally the JD and access management team has not been a proponent of cloud adoption. In many instances, a lot of times their role has been limited to providing supporting services to cloud security. So things like providing Federation or single sign on, or doing basic provisioning to some of the cloud applications is what typically IAM platform owners are limited to.
And this is because some of the challenges that we have observed in the current IAM platforms in terms of its ability to scale and address the cloud problems. And the technologies that might talk about in detail earlier is where we are seeing that IM is not able to take a leading role in providing cloud security the way they would like to. So let's look at some of the challenges that we, a typical entity and access governance platform has today, and then how do we move forward from there and really drive and spearhead the cloud adoption in a secure fashion.
So if you look on, look at the left hand side of the chart, what we have tried to list out here is some of the challenges that current IBM tools have. So, you know, first and foremost, IDM technologies are not able to scale and understand the entire entitlement hierarchy that each cloud provider offers today. If you look at it, the authorization model that is there in office to 65 is very different from AWS.
And that is also very different from something like salesforce.com or Workday now, each cloud provider, or each TD and access management provider, despite all the connectors that they have, they are not able to really understand and manage the security model in detail for all these cloud applications. On top of that, now the cloud ID management vendors today are able to understand the concepts of unstructured data or workloads as some of these secured resources that you need to manage.
Most of the traditional IDM vendors are focused on providing access as a managed resource, rather than looking at how do I secure unstructured data or workload. The third aspect that we see lacking in the existing IM providers is IDM is more of a backend transactional system rather than being in the forefront and implementing real time preventive access control across critical assets.
And lastly, because of the speed of cloud adoption and the diversity of different cloud applications and their entitlement hierarchy here, we are talking about, you know, if the cloud really needs to enable security for data or your workloads on different cloud, the IBM platform really needs to scale to hundreds and thousands of objects, privileges and entitlements that need to be secured, managed and governed from an identity management standpoint, and many of the cloud pro identity management providers, the way they are structured today, they are really not able to scale and address the security requirements.
So keeping those some challenges in mind from an identity and access go, one twos has been looking at how do we address these challenges, as well as leverage some of the new technologies like Mike talked about things like security intelligence, how do we really bring that in anti tightly integrate with I and access management to really take you to, I IG two platform? So let's take a deeper look at if I really want to extend my current IM implementation and secure the critical assets on cloud. How do I go about doing it? Right?
So all the building blocks of an IDM system, whether they are your access request, access certification, or access ation, the roles, segregation of duty policies, all this are very relevant from an cloud security standpoint. However, because some of, most of the drawbacks that I talked about earlier, we are really not able to utilize them to provide the cloud security that is needed. So what we have done ATS is to take a holistic approach across different cloud providers.
So whether it's infrastructure as a service, you have providers like AWS or windows Azure, or it could be productive productivity suites like Google apps for work or Dropbox, or office 365 each has their own set of challenges. And similarly, when you talk about some of the critical business functions like HRMS or customer management or financial packages now moving from the traditional on premise onto applications like Workday or Salesforce or success factors, how do we look at securing those kind of transactions as well? Right?
So in terms of holistic approach of providing cloud security, we feel that there are three broad steps in terms of how to, how to enable IDD and access governance and address cloud security. So the first step is understanding where my cloud platforms are today in terms of access, who has access to it, what kind of transactions are they executing, who has access to some of the sensitive data and, you know, which of my workloads are really at a risk or vulnerable because of misconfigurations and those kind of things, right? And eventually trying to figure out who are my risk case users.
So visibility, what we feel is the first step in terms of understanding, and really gearing up your IM processes and address the security for cloud requirement. So let's look at how do I go about providing this visibility? So starting off with a very traditional approach, you know, any IBM technology today will have an identity warehouse where it stores all the users and the accounts or the identities that it is aggregating from different sources. So we start off with the same concept.
However, if you look at it, we have kind of promoted the identity warehouse to a security warehouse where not only we are bringing in accounts and co grained access that we typically do, like active directory groups or mainstream groups for addressing cloud security challenges. What we are trying to do here is bring additional access information from all the different cloud providers onto the same security warehouse.
So for example, if I have office to 65, not only I am bringing in who are the users who have access to office to 65, but more importantly, we are also bringing in the entire data model and the data hierarchy in terms of what are the sites, the libraries, the lists, and the folders who has access to all of these different entities on office 365, and then eventually the actual data that results on office 365, right? Similarly, from an AWS standpoint, you will see that the entitlement hierarchy is completely different. Here. We are talking about bringing in IM groups and permissions from AWS.
All for example, in Salesforce, we are talking about bringing in the leads opportunities, the client accounts, and the commission sets all being brought into the same security warehouse, so that we are able to clearly articulate who has what accounts on all these different cloud Porwal and more importantly, what kind of access as it relates to the different transactions and the different data, more data objects, what kind of access do I have, right? The third or the second additional thing that we are bringing in to the same security warehouse is the notion of data.
Many of the current IDM tools do not understand data per se. They don't understand, you know, what is a period of document or what is an intellectual property, or is there any source code line or an office to 65?
So this is one of the things that we have done as part of building the connectors or the specialized connectors for the different cloud providers is to get visibility into all this data, so that then we can run things like classification to really identify if I have any PCI Phi or PII kind of information sitting out on office to 65, or it could be on AWS, you have S3 data objects and see if any sensitive information is residing there. And the last thing that we are bringing in to kind of complete the security warehouse is bringing the activity information.
Now, usually what happens in a typical enterprises activity information is something that I will bring into security information and even management tool or a log aggregated log aggregation tool. And technology does not really look at activity as one of the decision metrics and basic IM processes off. Right? So in order to address the scale, the volume and the complexity of the entitlement data, and also address and leverage technologies like security intelligence activity is one of the critical aspects that we need to also bring in within the security warehouse.
So that not only we can report on who has access to what, but more importantly, we can also say, what are they doing with that access on different cloud platforms? And then with the combination of those two different views, we can then identify, are they doing anything suspicious? Are they violating any enterprise policies? And then how, how do I go about securing it? Right. So this is just a few examples in terms of how do we go about building the security warehouse?
So if you look at on the leftmost screen, we have got an entitlement hierarchy of AWS, where at EC two instance level, we are able to identify whether the administrator has got the ability to run, stop, start, or launch the EC two instance, or at the SD data object. What kind of bucket permissions do they have, whether it's full control or read only, right? So that entire entitlement hierarchy of AWS is now mapped into the same identity and access management platform that you have within the enterprise. And thereby you can now look at governing and managing access to AWS.
Similarly from an office to 65 standpoint or salesforce.com standpoint, I have listed here a few examples. So for example, in office 365, we not only we are identifying, which are the different lists and the folders and groups that the user belongs to or has access to, but more importantly at each and every file level, we are also deriving.
How did that access come about for the user is the access to that file derived or inherited through group memberships or access to parent objects within that, where the file resides in, or have explicit permissions applied to those files because of, you know, direct file shares so on and so forth, right?
Again, it is very important for me to understand how an access has come about for a user at a data level or at a transaction level or an opportunity level, because that is the only way then I can safely an appropriately removed the privileges when it comes to deprovisioning of that access across different cloud environments. So it is very important to understand that entire entitlement hierarchy and the inheritance model, as well as the fine grained entitlements, that role or group membership allows me to do in offices in, in the cloud environments.
So once we have brought in all this information into the security warehouse, the next step is to understand and start classifying, which are my critical or sensitive files, or which are my sensitive workloads on different infrastructure priors.
So for example, we can look at a whole set of unstructured data and then apply a whole set of risk signatures, predefined risk signatures to identify, does this file or a document have any PCI data, or does it have any intellectual property, which is sensitive to my organization or as someone inadvertently exposed my source code onto office to 65, because they wanted to collaborate with maybe a different development team in a different geography, right? So how do so classification is one of the key aspects.
And again, giving organizations the framework to really expand this classification, customize it based on their user behavior and usage patterns is very crucial, very crucial to really isolate and identify the critical data that resides on cloud, and then go about applying the policies around them. Similarly, when it comes to infrastructure as a service on, you know, the critical asset, there are the workloads, and here we are using things like which VPC does that workload belong to, or what are the different ports that are exposed on the workload?
So whether it's a web server or whether it's a database server or an application server, we need to understand which what kind of asset or, you know, application server or database server, is that workload. And more importantly, is it my development environment or is it my production environment that is sitting out there on AWS or Azure? So classification is one of the key aspects of identifying my critical assets.
However, many, a times what we have observed is classification in a done in a traditional manner can lead to a whole set of false positives because of the sheer volume of data that we are bringing in. And the amount of classification techniques are still limited in terms of, you know, identifying the right data in the right way. Right?
So instead of relying on just classification, what we have also done, and again, coming back to Mike's point of bringing in security intelligence, we have also leveraged techniques like outlier analysis or user behavior analytics to really identify who my riskiest users are, who have access to those, the critical or the classified assets now that I have identified. So one of the techniques that we have successfully leveraged is outlier analysis. So here we have a user John do, who belongs to a division called asset management.
Now, what we do is we look at commonalities of access that John do has to all the other users that belong to the asset management division. Right? Once we do a compare and contrast of the access between these two types of users, we identify that there is 64% commonality between John those access Vivi, his peers that belong to division management. Now a peer group should not be just one, but rather a user belongs to multiple such peer groups within the enterprise. So I could belong to a department called funds, or I could also have a title called a funds Analyst.
And there could be multiple peers who have similar access to me now, by identifying my cohesiveness or similarity of my access across all these different peer groups, I'm then able to identify what is my outlier access or exception access that I have as compared to all these different peer groups. Once I have that information, then I am able to identify not only that a document has got PCI information and not only identifying maybe 15 people have access to this PCI document, but more importantly, I can also state that 14 out of those 15 people also have access to this document.
They all belong to, you know, the same group. So it's okay for me, for them to have access, but maybe one out of those 15 users that has access to the PCA document belongs to a completely different group. Maybe that person is an it developer or, you know, someone who has no access. So once we are able to identify that outlier access, that's where we prioritize and highlight those kind of risky access, rather than just telling you 15 people have access to this and you need to remediate this.
So this helps you in prioritization identifying really where the risk lie within sensitive data or workloads within your environment. So this is one inter of security intelligence within IR and access management that are, we are bringing forth. The second step in terms of security is protection.
Now, many, a times, what we have seen is IM is more of a transactional system. So that means it, it tries to ensure that people have the right amount of access upfront as part of the provisioning processes.
However, in terms of cloud, we want to enhance it and really take that access control to on a realtime basis, given the nature of cloud itself. So what event has done is we have enabled multiple technologies to provide preventive cloud security. So first and foremost is again, leveraging the existing techniques that we have within IM tools and then enhancing it to meet cloud requirements. So one of the things that we have done is because we now have visibility into who has what people are doing with the access that has been provisioned to them on different cloud assets.
We are able to integrate that and build roles, which are more effective.
So for example, you can include only those entitlements that have been used by the peer users or the users that belong to the same peer group, and then build effective roles out of that, or giving you the option to really identify which attributes are common between all the users who have access to a particular file or folder or, and, or a workload on AWS by identifying, you know, things like five attributes in this case, right, where I'm identifying or trying to identify will cost center or a region or a location by combining these attributes, can I really arrive at automated policies by which I can grant access across different cloud assets?
So these are some of the announcements that we have done to existing technologies and then giving you the option to define and adopt attribute based access control model and our back model that really simplifies the security management when it comes to the different cloud assets. Where for example, here you are saying that if the region code is branch, and if the person's job description is risk Analyst, then I want to automatically assign them access to a particular folder on office to 65. So moving from request based model to attribute based access control model, make it more contextual.
That's what we are allowing enterprises to do with their IM platform. Then we have also brought in automation from an access request platform. So for example, instead of relying on the end users to log into your access request system, and then requesting access to different cloud assets, the same rules, same rules can be now used to automatically submit a request on behalf of the user, if all the conditions are met.
So for example, in this case, if the, if a person's region code is branch and the job description is risk Analyst, then I want to automatically submit a request on behalf of the users and give them access to maybe some sensitive information on office to 65 than the user proactively coming into access request system and requesting for access. Right? So at the end of the day, the goal is how do I reduce the end user impact with creating all these automated business policies and automating the provisioning from an end to end standpoint.
And this is how we will scale to meet the entitlements, which are going to be a whole lot of entitlements, because now we are talking about, you know, securing documents and infrastructure workloads on cloud, right? And to extend this forward, we also have extended the policies from not just doing provisioning, but actually securing data in real time.
So for example, we have listed out some examples here for data access security, where I'm specifying that if someone, if someone belongs to, you know, the marketing department, and they're trying to upload a P Phi document on the marketing folder on office 65, then when that happens, I want to send you for manager's approval. Now the approval request, capitalizes and leverages the same access request backbone that you have within your IBM technology.
But in, instead of using it to provision access, I am using the same policy and the same access request process to now obtain access to a sensitive document on cloud, or the same thing can be accelerated to infrastructure where I am saying that if someone is trying to publish or launch a production instance on AWS with open access, then I want you to block that launch of infrastructure workload and notify the users manager because of this launch that has happened. So the intent here is that extend the same AAC, our back policies and provide now data security within your environment, right?
And more importantly, we are talking about now making all these policies real time so that, you know, I can enforce them at the time of the actual action or the activity is being performed. So for example, if a doc user is uploading a document on office to 65, at that time, I analyze the office, the 65 document in real time, I do the data classification, the risk analysis, and identify if that document is violating any business policies or data access policies that I have defined.
And based on the policy violation, then take corrective action, which might be to quarantine the document or encrypt it, or send it for approval from manager or security administrator. And only after those actions have been performed, then I release the document back to the end user and secure it in a realtime fashion.
So not only the IM provide technology is ensuring right access to the right people, but it is also enforcing that in real time with the same technology components that you have, the last part in terms of ensuring security from a cloud environment, is to have a complete continuously evolving security landscape. How do I stay one step or ahead of the new threats that are evolving? And this is where the security intelligence and some of the access policies, dynamic access policies play a very big role.
So what we have done here is not only use the typical access policies that you use to proactively provide access, but also tie it very closely to your user lifecycle events that are happening. So for example, if I'm getting a trigger from Workday saying that a person has changed departments. So for example, here is a transfer use case where the person's cost center has changed, or the person's manager has changed, right?
I want to identify that and then launch certification, or in this example, I want to reason all the provisioning rules that I defined earlier, as well as launch certification to ensure that the person has right access to appropriate cloud assets at any given point in time. So closely tying in your HR processes to the cloud environment and the cloud security is again, crucial to ensure that right access is provided at all times, right?
And the small example that I have put here in the bottom is where we are really exposing documents and more importantly, sensitive documents and risky infrastructure workloads as part of the same access request process, where instead of requesting access to a group or a role, we are giving them the option to request access to documents so that they have, they can proactively obtain access via approvals and, you know, additional due diligence can be applied at that point in time. Yeah.
The second thing that we have done is also brought the same infrastructure and the data object components as part of your access certification process. So in this case, not only we are making the, you know, bringing in EC two instances as part of your regular attestation work that you do. But more importantly, we are also giving in some of the intelligence and the decision tools that the certifier needs to make the right decisions.
So for example, not only we are saying that a person has access to so many EC two instances or data objects on AWS here, but we are also specifying when, when was that asset last used or accessed by the end user? Now that is a very powerful capability because if a person has not used the access over six months, nine months, then I can take a decision. It is more safe to remove that particular access within cloud, right? So this is how I'm trying to really scale up and address the volume of entitlements or the access and still pass and streamline that through a certification process.
The second element that we are also identifying here is in terms of risk. Now, the risk is determined through multiple levels, multiple aspects. Like I talked about the peer or outlier analysis is one type of risk.
And, you know, there are other couple of technologies that we have used to identify risk. And the intent here is to not expose all the data or all the access access, or not all the infrastructure access that I have in the certification process, but rather highlight only the outlier or the sensitive or the high risk access that I have go through the certification and make the revoke more effective by giving the right decision tools to the certifier. The intent here is to reduce any impact to the end users, by bringing in millions and millions of entitlements.
We are trying to cut down that by only exposing or certifying or testing to five to 10% of the typical entitlements and reducing the other campaign from a certification standpoint, right? And another part of staying clean is to have a very rich, rich risk signature library or a security controls library that constantly evaluates my security poster and identifies if there is anything suspicious happening in my environment, how is my security control being effective or not?
Are there any major gaps or lapses that are coming up with my security in my cloud infrastructure and really pinpointing the loopholes or the weak points in my security setup. So tightly integrating these controls and providing, or extending that visibility to all the different consumers of cloud security, whether it is your infrastructure security people, or your application security folks, or your, and access management owners.
Again, bringing in this control information is very crucial, right? And the last set of techniques that we use to kind of simplify the overall security management is to look at things like, are there any rare events that are happening in my cloud environment? So for example, a person has, or a particular workload has never been spun on or launched over six months.
Now, suddenly that sensitive workload has come up and there is a huge amount of traffic that is flowing into that workload that could constitute a rare environment, a rare event, and then that warrant versus scrutiny and analysis of that workload. Right? So how do I identify those rare events, or how do I identify anomaly in terms of users, behaviors in terms of the number of transactions that they have been doing, or the number of documents that they have been uploading on cloud? Is there a significant change in that?
So for example, suddenly I am seeing that user is accessing the same cloud environment from multiple IP addresses, which are spread across distinct geographical locations. And that could increase the risk profiling for a particular user or a person is downloading a huge amount of document from my office to 65 environment. And that could constitute a suspicious activity. So bringing all of that together, tying that very effectively with the IM processes, again, ensures that we are reducing the impact for end users.
We are automating the analysis that is needed to identify just those risky transactions and ensure that we can adopt cloud in a much more secure and streamlined and an effective fashion with the same IM technologies that you have here. Right? So this is a use case where we have identified by looking at different applications or activity points. So for example, I'm looking at the emails that are being sent to office to 65.
I'm looking at the download patterns that are happening in your on-premise SharePoint instance, as well as the, you know, the amount of data that is going on from overall cloud. By combining all of these different data sources, we can identify that this person is a flight test because a person is really taking out a lot of sensitive information out of my enterprise, trying it to pop to my USB drives or email it, or upload it on office to 65 or OneDrive kind of systems and creating a high risk situation in my environment. Right?
So the intent here is bring all of these together, provide better visibility in terms of who has access to cloud, what are they doing with cloud and really augmenting your existing IM platform with additional capabilities such as data, access governance, or infrastructure access governance, and the security inclusion and the behavioral analytics augment all the building blocks of IM and take it to the next level and provide security for cloud in a holistic fashion. Right? So with that said, I would like to open the forum for questions, Mike, back to you.
Thank you very much a for, for that very interesting presentation and a very interesting product, we are running out of time a little bit, and I see no questions from the audience, but there is one question I would like to ask you, which is how, how does this all work if you've already got some IAM tools in place? So I, how would you answer that? Sure.
Mike, so, you know, we understand that any organization will have an IM tool like, or a client manager or SalePoint, or, you know, the kind of situation what we are doing here is with the building blocks of any of the existing IBM tools we keep them as is, and then have a very modular approach where we are bringing in the security intelligence, visibility, the data access governance, and the infrastructure access governance components exposing and integrating that via web services with existing IDM tools to make it more effective so that you can really reuse all the investments that have been made in your current IDM technology.
And still you are able to address cloud security requirements with some of the addon components that we are offer. Thank you. Thank you. Hi. So there is a question which is to Amit and it says for rules and policies for access, are the rules built by the admin or are they mined automatically? So can you answer that?
Sure, sure. And given the nature of the cloud where you have got so many different types of assets, so many different type of transactions and data, one of the things that we have really focused on is automating this and really focusing on rule mining rather than, you know, pro relying on business or the security team to come up with these rules. So automation is key. That's the only way we can scale up and scale up the IBM platform and address cloud security requirements. Okay. Thank you very much, Annie.
Well, I think we've now reached the end of the hour and I don't see any further questions from the audience. So based on that, I think it remains for me to say thank you very much, Amit, for that very interesting and informative presentation about what is a, a really special product with a very useful set of functionality. That's going to be very important in these days for the agile business connected. So thank you very much to all of the audience for your participation, and there will be a recording made available tomorrow.
So good afternoon, good morning, or good evening, depending upon where you are. Thank you for joining this carpenter call webinar.
