Matthias Reinwarth, Lead Advisor & Senior Analyst, KuppingerCole
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Advancing from cloud first to identity. First again, if you have any questions, please add them in the app and they will pop up in the, in the iPad here at Fabian's desk. Or we just picked them just, and did this before. So quick for the agenda. I have 30 minutes, never tried that finished Sunday, of course, but let's see how that works out. So we have this agenda. We look at hybrid multi-cloud identity and the access challenges around that question.
Mark is behind CIM or key as Patrick put it to the rescue from cloud first to identity first, which I think is an important aspect to look at because I think that is important. It is also not the full picture, but it's part of the full picture and then what to do. So getting from tactical to strategic measures and to, yeah, to really take something away on a very high level, that's what I'm looking at. So the idea is how to deal with what is on that slide. Your I infrastructure is changing. It has already changed and it will change. So the management of infrastructure must be adapted.
So we need to make sure that we can deal with this changing paradigms of how we build infrastructure. So cloud first, that's the, the buzz word that we have for years now, but what does that mean? It means we create new infrastructure, primarily within cloud computing platforms. I'm not necessarily looking at the small startup that's cloud only. They are lucky, but, but if you look at an existing traditional legacy type organizations, they will create new infrastructure primarily within cloud platforms.
And if they do this, they try to move, lift and shift existing applications to cloud computing platforms to get rid of their on-prem data centers. So that's cloud first for me. And it means you extend your infrastructure. It does not go away with infrastructure as a service and platform as a service. So cloud first leads to cloud lots of cloud, many clouds, and these extend your existing it. So you end up with complex environments in the cloud, in the clouds and on top of what you already have. So it's not just the data center somewhere else.
So you apply the same processes somewhere else does not work that way. So these are highly dynamic environments as we discussed in the panel. So it's highly volatile machine, a virtual machine, a soft define machine that is here as Patrick, put it on Tuesday might not be there on Thursday and all the resources, all the assets, all the data that's gone. This is designed for dynamic workloads. So you can, can scale up and you are, as I said, you are creating assets, resources, networks on the go and destroyed.
And so are there administrative accounts, any accounts, the data across multiple cloud services. So multi-cloud and cloud first is not only cloud as I pointed out. And it is integrated with your on-premise of services and infrastructure. So it's not just moving to the cloud. It's just getting bigger, adding the edge. What is the edge it's using existing infrastructure that is somewhere distributed in your network periphery and you process data sent decentrally there because it's there, it was generated there. You can process there.
Maybe you have the processing power there and you can utilize idle storage and computing power, and maybe also meet some of the needs that are special to this infrastructure, because there are only loosely connected. There are not all necessarily needed everywhere in the network. So you have an additional type of infrastructure there as well. So that's the edge. And that's a, that adds to on-prem multi-cloud edge site note, this hybrid shadow. It is a reality. You are not necessarily asked just because you are it or it governance or it strategy.
Whether a department somewhere in the periphery can create a solution. And that puts your organization, of course, at risk at risk of compliance, data breaches, whatever. So you must regain control. This is a site note. This threat of my thoughts ends here. Keep it in mind. It's really important, but I don't deal with it anymore. So what do you need to do with such an environment? I don't read this out at all of it, but just to make sure you need to make sure that you have basic processes in place to deal with this kind of complexity.
So you need, you can need to go from managing identities to their entitlement entitlements and what we've discussed before time limit access, ensure data governance across all these platforms, because you have to, you have no choice. You're not asked to whether you like it or not enforce least privilege in the best of worlds, ensure transparency. What Mike presented earlier inside proactive control and audit in such a volatile environment.
And while it is existing detect anomalies, make sure that you find out even in such a quickly, fast changing world, that you find anomalies, when things go wrong, there might be signs and, and outliers being identified, malicious activity, human error, especially human error, and non-compliance with policies and what you need to do. And that is something that we discussed again and again, that Martin mentioned in his keynote is automation because you won't be capable of doing this by hand. Impossible. You cannot do that.
If you have more than one cloud, there are different approaches of administering them. This is a tourism, but at least we have to have a look at it. So maybe you do it each cloud on its own. And this is something that also hints at what Jerry did before. So there needs to be some way of dealing with it. Maybe if I had heard his presentation before creating this presentation, maybe that would also hint there to make sure that there might be a way of dealing with that. So you can deal with it one at a time, you can do it cross cloud platform, all clouds together, there are solutions for that.
And you can across your entire infrastructure, which of course is a large, a huge challenge. I'm an Analyst I'm not having to do that. I'm just talking about it. But nevertheless, this is something that you really need to take care of. So this keeping in mind, how do you deal with your hybrid it with your cloud platforms, with your existing hybrid infrastructure? So bit of an interim summary hybrid multi-cloud it is a reality. I don't think that anybody in this room would say, no, I don't have that. I check it. Somebody volunteers. No.
So your, it is hybrid of multi-cloud. And to understand that in a bit more detail, just to show the complexity I've created this.
So yeah, you have traditional on-premises it data centers. You have multi-cloud services infrastructure as a service platform, as a service closely related and software as a service completely different. And you have edge computing and maybe more, maybe this picture is not complete, but it's as hybrid as it can get. And on top of that, actually it's below that we have different types of ways of doing it. That could be agile. It that runs here. It could be DevOps that could run here or here. It could be dynamic, automated scaling behind that and that, and maybe even that scaling here.
And so it goes on. So you have VMware, maybe on-prem you scale it up to the cloud. So everything of this can be somewhere there. And you have short lived entities, you have users, privileged users, technical user system accounts, all types of these IAM assets, entities that we usually talk about at ESC. And you have all of that across whole platforms. So you have governance and auditing and you need to do data access governance. These are two requirements that you can't get away with out. So we are not on premises anymore.
So you need to make sure that your IM and cloud security scales up for these new capabilities. You need to manage volatile, highly dynamic infrastructures in a hybrid world. Sounds great. It's a challenge. So you need to work with dynamic workloads.
So you, you need to scale up because you have business requirements, you have peak hours, you have black Friday or something like that, and you need to scale up. You need to deal with that and you need to deal with that in an adequate manner. You need to have multi-cloud provisioning closely to what, what, what Jerry said, but also the administrative part Martin said policies plus automation enough. I think so, but maybe not.
So this really this crowd for infrastructure, identities, access and bit in brackets, because it's not really our focus, usually data, but nevertheless data govern governance was on the former slide. We have shortlist infrastructure talked about that and we have DevOps and beyond. So we need to be capable of dealing with this infrastructure as code paradigm and everything that's related to that. Martin has a strong view about infrastructure as code, but nevertheless, it's there. We need to deal with it along comes CIM, Cloud infrastructure, entitlement management created.
As, as we discussed before, as a marketing password, give defining a market segment for vendors to fill into solve some of the problems. And maybe more that I just presented before. So what does it mean? This is the definition, at least parts of it. So C cm is defined to be the tool set a tool set to solve these tasks. So it's capabilities, a tool, a product, maybe so. And that's actually the slide that I chose when I asked the panel before. So we have, it's an identity centric software as a service solution.
So that means CIM cannot run on-prem I don't know, or be deployed as something that runs on IAS. No, they say it's SA entitlements as we've discussed, it's it aims at defining and enforcing access policies. So you define access policies and you enforce them. So you project them to your infrastructure. You proactively manage entitlements and data governance. So this is the access, and this is a result. The data governance process is a result of managing entitlements instead of cleaning up afterwards, which is a good thing, manage cloud access risk.
So understanding cloud access risk in brackets, that requires that demands for a very mature organization that understands cloud risk. Again, I don't ask the question, but you can ask it yourself. How mature is your organization in defining your and assessing your cloud risk? It's it aims those solutions, cm aims at enforcing time limit access control. And it adds this buzzword bingo, sprinkle of analytics and machine learning to find the outliers.
And it aims at hybrid and multi-cloud cloud structure as a services architecture, that's the more or less the original definition as it was in the, in the hype cycle. So it's that, and it's only IaaS why, and as we discussed in the panel, this is not entirely new. There have been different building blocks. And I tried to discuss that also with the panel before we have Pam and some vendors called it CPA, I've put it in air quotes. So many cloud entitlements are in fact privileged access. They are privileged accounts.
So there are, we have a leadership compass on dev pump for DevOps looking at the same market segment, more or less, we have provisioning that can be automated. That can be highly automated. That can be also dealing with volatile environments, maybe not at scale, but it is around. We have user life cycles. We have policy based access at runtime. And of course we also have policy based access administration of roles to entities at design time, rather than at run time. So this is not entirely new. Yeah. So if we look at that landscape, I hope you, you get the picture very quickly.
We have on-prem IAS, psss edge, and we have different assets starting from the actual infrastructure, be it real or virtual services on top of that technical users, admin service accounts, enterprise users. So where EIC comes from consumers and data, just to make sure where this could be managed and which part of your identity fabric, which capability deals with that. So we have covered by CIM increasingly covered by cm, covered by existing solutions and sometimes covered by existing solutions.
If you want, look at this picture and you take a photograph of that, I don't know if it's fully corrective just to show the complexity. So this would be covered by existing solutions being from Pam to Pam here, CPA, if it's called that way and maybe cloud native IM Pam across these cloud platforms. And if you look at the full picture, I don't go through it all. I think more or less makes sense. You have native tools at the edge. You have virtualization platforms across the whole landscape.
So a VM where platform could be somewhere, maybe covering some of these platforms and the DevOps tool, chain orchestration and anything like that. And native tools. So more interestingly, where does this also reach out? Usually we see IGA in Federation, also here and data governance. If it has the reach to get to the edge also here still easy. This is CIEM in my first assessment. I don't know if this's fully correct, but I hope that makes some sense. So we are managing service accounts. We are managing maybe some of the enterprise users as they are required for maintaining this platform.
And as they promised me, they are doing data governance. So we have CIM here. So this is maybe the, the narrow story of cm. And if you look at the products that we already see, we see them also reaching here, here, and here. And to be honest, also here, sometimes they also reach back to, for example, the administration of the virtualization platform and their service accounts. And that's makes my nice two angled pictures does not fit for that, but maybe that can work as well. So we have this as I translated as an infrastructure rock rack rack, is that good? Okay.
So this would be the picture and what do we have added complexity rather than a nice, bigger picture? So we need to deal with complexity. We are it people and Analyst. We need to deal with complexity. So we need to go beyond cm. It's fully clear. We are talking about cm as if it is only a buzzword, which is not true. And then we have to take that step back. It addresses important challenges and provides valuable services. There are building blocks in there, which are really required, which are not yet fully met or not at all met. So these capabilities are essential.
They are addressed in a limited scope because I said, SAS, only for IAS. So maybe we should think bigger here. And as we have seen these cm provided capabilities are extensions to our overall architecture.
And yeah, you need to make sure that this fits into your full cloud encompassing IM and cloud security picture and actually the many vendors. And I think also the people that, that have been with me in the panel, they are doing this already. They are extending the focus of C I a M while rebranding it, or integrating it into their platforms towards data centers, towards multi-cloud multi hybrid. It including platform as a service along comes dream. Yeah.
So this is, this is the term that Martin presented on as, as part of his opening keynote it's dynamic resource entitlement and access management as a bigger vision than cm. And I don't explain that that's the picture Martin presented during the opening keynote. And I highly recommend that you go back to those opening keynote, because I think as it was really packed with content, you might want to rewatch it again and maybe at half speed. So that would be the bigger bear Martin. So Matthias says, have a bigger picture integrated have this dream picture, is this enough?
That's it quick hint, no. Consider your cloud admin in an organization leaving tomorrow your IGA life cycles because you're great. And you join move lever processes will deprovision her Alice from your business applications who makes sure that she's also deleted in your standalone SAS CIM solution? I don't know. That means you need to move towards an identity first approach. And if you think back to unfortunately, two years ago where we presented the identity fabric at EIC.
Yeah, there it is. I think C IM and its functionality fits in there. And you see, there are holes here and holes here, holes here and holes here. This is this concept of managing identities and access as a whole in an interconnected fabric, interconnected layer of identity, functionalities, and capabilities from capabilities to services, to technical architecture, with influence systems and provision system and, and managed systems, the legacy IM digital services software as a service and consuming digital services that use API layers.
And we think, I think that is a yeah, a thought, an idea that that might fit here as well. So you have agile, it, you have DevOps and lots of more, this, these are examples and these provide their information, not through databases or directories or Federation. They have repositories events, policies, and that make sure that this input is fed into the identity fabric and used there. And then we add cm functionality, whatever that means could be this nice aim layer could be the, the management of, of automation of policies.
And that ends up in an entitlement management service that might encompass this and go bigger. So it might be traditional provisioning. It might be CIM provisioning, highly automated, highly volatile. And this ends up here in cloud and the edge via Federation provisioning, APIs policies. So this is our idea of how to integrate that into a bigger picture. And I think the identity fabric still works fine with that. That is my idea here. That's it still no, very quick. I have to check the clock five minutes. Okay. I have to speed up.
I said the fourth point of my agenda is tactical versus strategic. And that is what this is about. What does it mean for you as an end user organization for you as a vendor providing solutions, in our opinion, as an Analyst, how to deal with that?
Oops, this was not the idea, the, the, the, the challenges and the problems and the solutions that are required are very tangible. They are here, they need to be solved. So this is a challenge of today and C I E M tools are here to provide solutions today. So if you have the requirement do so, you need to make sure what, what, what Mike said just in time security for just in time, it consistent governance across hybrid it, and CIM tools might help you.
We think that this dream dynamic resource entitlement and access management, and it's way of embedding CIM into a bigger picture, is the way to move forward. And that is actually the, the segue over to the strategic point of view. So how could we do that in a more controlled strategic manner?
This, what I just said is just one step of the journey. So the scope of IM and cybersecurity for a hybrid and multi-cloud reality must be extended beyond that. We need to go further, and that is what Martin presented. So that plays hand in hand. That's the reason why my presentation was finished on Sunday evening. So you need to move away from traditional static access controls policies. You move towards just time. Entitlements policies enable policy based, access controls, faster automation for management and security across all of your hybrid.
It, and these are the four aspects that I mentioned before, and maybe more, and you need to integrate that with enterprise processes and practices that goes beyond just, I am, this is just one sentence, and I know what's behind that, but to make sure that this really plays well with it, service management, it asset management, DevOps, GIS, and many more. So really having this foundation for large scale automation like this, your it infrastructure has changed fundamentally all it dynamic management policies and automation, and one consolidated consolidated approach.
That would be the strategic view summary. All of this go beyond IAS. Look at PAs and other infrastructure. We have nice added functionality that solves problems integrated use this sprinkling of machine learning that will, or most probably will provide value and solutions and help you in. So solving your problems today, but integration is essential. Integrate SA DevOps on premises, VMware, whatever you have and integrate from day one, just do not just take this nice cm tool, just because it's a tool, it's a password it's marketing, there's a vendor that gives it to you. Make sure you use it.
Yeah. Sensibly. So not just yet another hype tool, because yet another hype tool is yet another silo. And that does not work for you should not work for you. So tactical do it integrate towards dream and really support and enforce your cloud security as it changes over time and strategic have a future provision. And that means you need to maintain an overall blueprint, which is always a dream, but you have a vision to go forward, move forward to getting to a unified identity access and cloud security ecosystem and go beyond and define a general strategy for your multi-cloud multi hybrid.
It that's it. Yes, but rewatch Martin's keynote. I think that is a good starting point for the bigger, bigger picture, because this is just the bigger picture. Thank you.