KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Legacy in that space. And, and so for me, it's also an interesting scene.
And I, as I've said, as I've said, it's, it's something which is really also a scene, which seems super relevant for our customers. I'm here with two people who definitely know more than me about it, which is Matthias, who is the director of rim practice and which is Patrick Park, CEO and founder of being a software specifically due to his role in this software world. The company has been the.net factory, which gives some sort of insight into where it stems from, where it comes from. So Patrick knows really a lot about ad and Azure ad today.
We will really talk about what are the options, how to do that, what to consider we want to do. This is a very, very open workshop. So ideally it's really a workshop in the sense of you bring in your questions, do you bring in your opinions, your, your expertise, whatever. And so the plan for today is that we are, that we are start is talking about the drivers.
So what, what is it, what, what makes companies think organizations think about moving a, to the cloud? And we look at what does it mean to go from an a first to an AAD first approach? There might be other approaches.
It might, yes, property first or something like that. There are different clearly different ways to go.
And we, we are very open on that. We look at this very openly, so we will discuss this from, from different angles, how to deal with this Azure ad and on-prem ad stuff. Then we look at ad keyboard. I think it's an interesting question these days, because it's, regardless of how we look at it at the end, the on-prem ad is shifting into legacy state. So if it is previously, we can discuss during the workshop, we will look at architecture options, so how to do it. And also beyond technology, what does it mean from a, from a business security compliance and governance perspective?
So this is the plan we have for today. And as I've said, we want to make it as interactive as we can.
So, and this is also where we want to start. And this is also where I, I think I direct the hand over then to Matthias to start also collecting that with you together. And then also as, as usual here at EIC, we are hybrid event. That means we have a number of people tuning in wire, the internet. So if you want to comment, if you want to, to bring up your insights as an online attendee, best raise your hand in the team session. And then we can sort of bring you in. You can begin with video without video, whatever you want.
So you can actively participate regardless of whether you are in the room or whether you're somewhere in the outside of this room somewhere globally, wherever. So this is basically I think the starting pond, but yes. Yeah. Then really first of all, really want to make sure that you really contribute. And this is an easy starting question, of course. And I know that there's lots of expertise in that room, and I know there's lots of expertise in the, in the, in the team's room. And I really want you to, to share your experience and starting with requirements, which these drivers are.
I would like just to, to, to give them to me, I have a microphone to pass around for the, for the team's participants. Please just as Martin says, raise your hands.
And the, the team, the technical team will put you on screen so that we can see you as at least hear you so that you can get your feedback to us. So it's really trying to, to identify why you really want to move your existing ad to the cloud. And maybe we should then explore the different options.
Of course, there's AAD in the room and what to do with, with the on-prem enterprise windows server ad. So that would be the starting point. And I would just would like to go around and then we collect it really in paper on, on that board to make sure that we can get your, your input here as well, and really want you to, to participate, to contribute, to help us. We are still better testers. This is a hybrid performance. They have done this on Monday. Me not so I'm really in my better phase already. So please support me in, in gathering these, these drivers who wants to start out.
So, So I think one of the drivers for active directory in the cloud is frankly, new business applications, which are developed in the cloud simply requires the Azure accounts. You say Azure account. We need to be, we need to be clear.
We, we, we have different dimensions here. You're completely right.
But, but we are talking also a traditional hybrid legacy prone enterprise as well, which still have their, their ad somewhere running around. So that might be something to, to look at as well, but absolutely new business applications. You're thinking of software as a service, right. You're thinking of software as a service. Right. Okay. Anybody else? Press your hand.
No, just, just moved. Okay. And if we think of ad traditional ad, what could be reasons for, for moving your ad, your ad account, your ad permissions group memberships to the cloud. I think something going on in the chat, See anyone actively raising the hand for now.
So yeah, it's already morning be number four of, yes. Maybe it takes a Little more, more coffee, more coffee. I think one of the main drivers currently will also be that Microsoft is just somehow gently forcing you to do that just because they, the way they have set up the new operating systems, the office and so on. So you have to do it in some way. Question is how and yeah, and, and really the question we would like to clarify today, should we keep our old system, the old ad or what to do with That?
And, and so, so, so maybe also to bring, to speed up a little bit of discussion and what, what we hear from, from our customers, from our audience. I think the, the main thing maybe at the end of the day is very significant. Ratio of organizations has some office 365, or Microsoft 365 in place, which means you have Azure ad. And so it's not a question, do I, will I have Azure ad, but it's the question? What do I do around? And what is the strategic role of Azure ID?
I think this is where, where for, for many of these, the conversations really start that they say, okay, this is something I have, I most also have an OnPrem ad. And then the question is what to do with that OnPrem ad Azure ID.
What else, what is the right way to go forward? So this is really from this because I have Microsoft 365, I have Azure ID and the strategic decision. I think this is important to understand that the strategic decision usually has been made at another place. So it's not the strategic decision which is made at the beginning.
Oh, we go for Azure ID. It starts usually with someone says, oh, we go for Microsoft 365 or so.
And then, then it's, it's where, where you need to think about what, what to do. So this is what, what I see most.
And, and then the, the subsequent things, which are probably modern drivers for not just saying, okay, I'm shift everything but saying, okay, we need to carefully consider this. These drivers very frequently are we have some stuff relies on good old on-prem ad, which is sometimes not that easy to retire, sometimes virtually impossible to retire. So applications working trust and only against on ad, if you go into model the operation technology world, you have tons of these potentially.
And, and so this is what we see. And any other drivers you see at any other, other sort of situations, factors that trigger your projects that trigger the questions in, in your organizations that then I can quickly check here someone from the audience. So I've added from, from the chat. So I heard security reasons MFA for the AAD D at least for that, maybe we should then dive a bit deep, maybe question to, to Patrick or, or Martin we are using ad and AAD more or less synonymous right now. That is an issue because these aren't different systems. Yeah.
So we need to make sure that we draw the line completely, but what I've put down here already, just to, to catch up, I've put down new business apps, softwares to service, just to make sure that these, these are covered, that would be AAD and Microsoft discourages ad or retires ad in the long run. So, and many organizations, and maybe we have to talk a bit more about the depths of your organization, do not give away too much, but where you are in the journey between ad and AAD, that would be really interesting to see also for us as Analyst to learn where they are, where you are.
So that would be a good point. Keep ad somehow for reasons that goes with this legacy apps, OT legacy cannot be retired because they are there. There's nobody who's able to change any authentication mechanisms nobody dares to because they're mission critical. You don't want to do that security. We have mentioned, and we have Ms. 365 in place. More reasons.
Yeah, I check that. Thank You. Yeah.
So I, I have one here in the chat Matthias, which is retirement of SS O built on ADFS. So, so the ADFS potential retirement, when, when you did one Second, another benefit I see in the cloud is the improved collaboration. Because with guests accounts, from all over the world, you don't have to funnel them through your own legacy, identity management. Yeah.
And, and it's this, this ad to ad B B2B and stuff like that. Also, which, which place, yes. So guest accounts, what was in No, in fact it is easier to, to onboard externals than it is with on. So I remember remember these discussions for, for tens of years around, oh, do we need a separate domain or so for dealing with the externals and how do we treat this and how do we make it extra complicated with some more domains even, and maybe some extra forests.
And yeah, I think the ones who are a little longer in the eighties space are quite familiar with these discussions. It's be very expensive and complicated. Yeah. Yeah.
And, and, and I think we all also have seen, and I think that might be also driver sometimes that, oh, the companies have in some way even lost control about their ad. So I think we have some of us at least have seen ad infrastructures becoming overly complex with the, all the forest and domains and address relations.
And, and this is sometimes really impossible to manage. So which by the way, raises an interesting question. If you're in that situation, if your on-prem ad is too complex, should you invest a single dollar or a Euro in sort of re reorganizing your on-prem ad? Or is it something you better avoid these days? That would be a side effect of that discussion. Maybe another reason would be to cut costs, to have on-premise gateway server and infrastructure administrators that have to maintain their on premise instead of the Azure.
It, Yeah. Good point. Yeah.
Short, Short costs of managing the on-prem it at the end of today. Yeah. Okay.
I, I had this already. I put it, I just noted down as all the cloud benefits that you have not having to take care of updates, machines. Yeah. And scalability.
It's, it's all just There. And basically we have to say same in a chat here. You don't want to update your, your own data center infrastructure anymore. So the cover cost thing, the game trust in why the, the chat. And I think this is clearly also one thing.
And, and yeah, it It'll be interesting to see if, you know, it used to be, you'd have the exchange admin team, you'd have all these on-premise infrastructure teams. And now no one really thinks about having an exchange admin team or having that expertise. It all just went to the cloud over a period of like four or five years. So it'd be interesting to see what happens with the on P directory. And do we lose which skill sets do we lose, which new skill are required of us and it to handle that.
So operations cost teams cost and, and, and requalification may maybe reusing these really precious resources much better than administering an exchange server. Yes, we are doing much more than just managing exchange in these age of digital transformation. They can do really better things. Yeah.
And, and I think coming with that might be driver mentioned yet here. It might be also some. So when we go to the broader infrastructure, we just touched ad, then, then we also end up in the, the security discussion.
So, so when we, when we take the recent exchange attack, we of earlier this year, then it wasn't on pre it. Wasn't not only, but I think, I think you, at the end of the day, you always feel, tend to feel more at risk, even if you have on-prem infrastructure. So I think it might be from a risk perspective even while also things affected the, the Microsoft back end at the end of the day. Yeah. But when at the end of the day, at least the overall scene, the security might also be a reason.
It's you have someone who has, so you shift some responsibility to the provider, which you otherwise have as a tenant. Sure. Keeping patching, keeping up to date. Yeah. Yeah. Right. There's quite an interesting question. We should keep that for later, because that will be an aspect. When we look at scenarios, how to actually do that or how that could look like, I just read it out. It's really comprehensive just to keep it in mind for later.
So is there someone to cover how to deal with authentication, privileged accesses on IOT devices in direct connection with your public ID, public user accounts enrolled in cloud government platforms? So this is really a detailed question while we're just currently still laying the groundwork, but this is something we should have a look at. And from the experiences that we have just IOT plus a AAD. That is interesting. There's more details here. I will keep that in mind. Thank you very much jar for providing that. And we will have a look at that later as well, too, if we don't remind me, please.
Yeah. And, and then everything breaks down into carrot and sticks, the incentives of what you get, you know, windows, multifactor, authentication, windows, hello, for business at the desktop, you know, you get all the user benefits and then there's the stick.
Is, is it possible to really avoid a future where you are all in Azure ad? I mean, is we've all been down.
I, I, it is possible to avoid it if you avoid Microsoft 365. Yeah.
If you, I think that that's the point, you know, I, I think you can avoid it only down. I think this is, this is really this, this, the point where you say, if you go for Microsoft series 65, you're in, if you don't want to be in an Azure ad, then it means you can't go for Microsoft 365. I think this is the, the logic behind that. Yeah.
If, if you follow up on that logic, it's difficult in the chat, but maybe we can do it in the room at least representatively. How many of you do have MSV Microsoft 365?
Just, just for information. So, oh, it's 100%, right? Yes. So that that's okay.
So, so honestly we, we have advisory customers who don't, so, which really are our full Google cloud platform, Google docs, But these are unicorn, But, but these are in Europe, relatively rare. You find them a little more in certain areas and certain industry in the us, I believe then, then you find them in Europe.
So, so in the, well, we find some companies which are very, I know of one in the us, one, one of our customers that does not have office 365. Yeah.
But, but you are a little bit biased on that clearly because you're relatively close to the Microsoft world and what you as a software render. So, so I think that that is something we need to keep in mind. So there's a world which does it differently. So there are organizations we do, which do differently, but there's really a sharp line. You can draw because if, if you say Microsoft 365, you say, actually, it's just that. Yeah. Right.
And, and just to check it again, who, who still runs ad traditional on-prem ad The same number who Of you cannot get rid of it as of now. Okay.
So, so if you have a very clear picture also, maybe to translate for the one, the Audi online audience, 100% of the people in the room are using ad probably all have an on-prem ad and virtually all say we can't get rid of on-prem a now. So I think this is really point here. You have another question Migrating from on-prem to Azure. Oh yeah. Okay. So it's only actually now And you cut it down.
Wow, cool. So no of these legacy apps that really rely on.
Okay, great. Yeah. I think that situation where you say, okay, we have all these applications authentic indicating traditionally why our curves and so on, on things really become more complex.
And, and we have these integrated applications. We have these applications, which rely on active directory groups. Yeah. Which never was by the way, never was a good idea to do identity management, no using ad groups to, to control access that for other applications. It never worked well, it never was a good idea, but I think some interest benefited from it by saying, oh, we have crew management tool and stuff like that.
So, but that's a different story here. Oh yeah.
So, okay. So I think we have collected quite a number of drivers. Right. And maybe laying the groundwork, maybe Patrick, would it probably be possible if you say few words, just about the differences between the two systems AAD and a okay. Just to make sure that we are all on the same page. I think most of you know, but nevertheless, just to make sure that as we use it more or less synonymously, that we make sure what, what, which, what is what Sure, sure.
I just, at a high level, I think a lot of us have, well have experience with active directory as an on-premise network operating system based version of L D with an implementation of curb growth on top. So it is your authentication directory for networked systems and applications. And by networked, that means that they are all with physical network access to each other, lots of open connectivity between them not really an ability to have a distance between the client and go over the internet for authentication.
Now, active directory provides a lot of services focused on managing the desktops group policies, policy infrastructure for automation of desktop settings, software distribution, which is still in the progress in progress of trying to be replicated in the cloud, which doesn't fully exist yet. Now, Azure ad is built more around cloud protocols. So it's designed for applications that do modern authentication and modern authentication being one of the federated protocol standards.
And the idea idea being that you're do not have network direct network connectivity that you're doing more of a, a Federation dance redirecting without open protocol access or network access to the servers. So it is lighter. It doesn't have the traditional structure that an LDAP directory has, which benefits us as a structure for delegated administration, organizing objects, controlling who can see what, who can do what. So it has a little different model there.
And of course it ties into not just application authentication, but also the Azure infrastructure itself, leveraging it for permissions and that permissions model. Great. Thank you. Any questions additions from your side?
What, what makes, what marks the difference between AAD and a and on your side? Why can you cannot, why cannot get your, why do you have to keep ad? Why can you cannot? I don't know. I don't how to put that.
I don't, it's, it's, it's four days into the, into the conference that maybe is the issue. Why do you have to keep ad what, what is missing an AAD that makes you keep ad as of now? So that would be really an interesting, an interesting question.
Lucky, you, you can get rid of, of it, but this is in this room at least. And I think also in the chat, not the room, maybe we should keep that in mind as well. When we design the scenarios later, how, how we can really keep up with protocols, which are actually moreish than Aish. Okay. To continue. Where's the, the clicker. I'd be curious if anyone is anyone using windows hello for business and Azure ad based authentication for their, the desktops, the user desktops yet 1, 2, 3, okay. Pilots or anyone pilot for full, full implementation. Okay.
Okay, cool. We always with the microphone and speaking in the room online at handies will not hear it. Yeah. Right. Or we repeat it here. So I just hold it. Can you just repeat it just Said for, for the desktop management, we're currently implementing Microsoft in tune. Okay. So yeah. So you'll be headed that good point direction, managed devices, conditional access policies, MFA based on trusted device. Right. If we take one step further, now we know many of you have ad, many of you have AAD.
Most probably AAD was not necessarily introduced strategically, but came with M 3, 365 somehow, and you have it in place. So the question would be, do I need it, do I need AAD? I think We just discussed this, this, We discussed it. I think nobody in the room would actually be here if we, if he was not interested in moving there. So that is one picture that I stole from, from Alexei Simons, from Microsoft. So due credit is given. So that is the picture that we usually see.
So, and, and the question is, Is this your picture? Is this your picture? And I think this is this, this, when going back to the slide before I think Matthias, what is the role? I think this is the really interesting thing. What is the, the role? And when you bring up the, the picture for Microsoft we've borrowed, then, then the question is exactly, is this Eurovision, does this fit to Eurovision? Or do you need something else? Should this be Eurovision? That's the other part of it?
So, so I think this is really what, what we, what we want to discuss on this workshop, because there are really different, different perspectives. So different ways you can take there's different advantages and disadvantages.
And so, so just talking from a little bit from, from practice and from what we hear there are this discussions about if I have Azure ID, so should Azure ID really be my, my strategic IDP, or is it more, a more target system? So is it just one system I, I sort of use indirectly through another system. Should I have another IDP in place user as a SA? Does it make sense to have another SAS based IDP in place in parallel? Does it make sense to have another on prem or, or private cloud based IDP in place maybe for, for mission critical workloads?
These are questions we, we, we get, and, and so I think around that there are a couple of, of things which can be discussed and which, which need to be discussed. So, so I think the biggest risk is, is ending up more, more, more, or less accidentally in, in a, in an identity management environment where things sort of fr like mushrooms in the autumn and, and you lose control about what is really is direction. What is your strategy? What to put, put first. And there can be different perspectives of that.
As I said, this is one picture, which is Microsoft picture. And I think the interesting point is what, what would be, what could be, what should be your picture? And this is what we want to discuss over the course of this morning, Right? And we just, just from detail, this slide is from 2018. That was a vision that is three years old, at least even older, that's this really fit your reality. Maybe not to answer that question right now, if you can please, but is something missing here?
What, what, what are you missing here? So I think, or Patrick, from your, from your reality, is there something missing? Are there use case scenarios that are not depicted on that?
Yeah, Speaker 10 00:28:43 The microphone I've got one more piece, totally fitting our vision for now. We just placed Okta in this picture, as well as a, well, the cloud IDP with the aim to make that our main IDP for the enterprise. And that also bends our provisioning, its influences the, the view we have on Azure ID, because it's not our main directory. It never has been ad as well. We always had a separate directory as method directory and provisions from there. So now we are also looking at where do we go from here?
So really a big decision moving everything into Azure, active directory will probably happen, but if it's the best solution, I don't know yet we have a lot of legacy that doesn't Fit. So, so what you're saying at the end is, and this is not an uncommon scenario.
So, so Azure ad tends to take a more prominent, more strategic, more broader role than on-prem ad in many organizations had, which, which means that at the end, this strategic decision is even bigger. And this relates, I think also very well to a question which came just in which in fact is, is something which is in, in fact in some way, two part question, the one is, can you actually also use Azure idea as a company's identity governance or it platform for managing identities on gram and in the cloud applications?
So, so can you really, so, so I think there two angles to look at when we look at Azure ID, the one is the access management part. So when we look at identity management, we have three main area, so to speak traditionally access management, authentication Federation, IGA. So user lifecycles provisioning, access governance, and the privileged access part. And the question and what we looked at more, I think was in the initial discussion was the access management piece.
So yeah, Well that's A lot, but the IGA piece is something which is clearly, and this isn't this question which came in through, from the online attendees. This is the second element.
So, so how, how far can we use this also as an IGA platform, which is an, an interesting discussion. And then the other question, which is, I think the second part is, is I, I would split that is when you go for, for things like, like the, the Azure domain services, there are profound limitations that prevent it from being a replacement for traditional ad. I think it depends very much on the use case, to which extent you can replace on on-prem ad by domain servers or a domain host, a cloud hosted domain controller. Yeah. Things we look at where we have prepared a couple of material.
So these are are questions which are related or which came in. And I think the first question is also a very important one. And then Is, is anyone using Azure? And we can explain what it is, but Azure ad domain services, of course. Yeah.
But Azure ad domain services, it's the idea that, so you could have your corporate active directory and you could be syncing that to Azure ad, but if you want to try to get rid of the corporate active directory and you still have systems that need to use curb and all that, that Azure ad domain services is basically Azure will provision for each of your Azure ad directories a domain and synchronize it. It's a, a, basically a slave just, it's always gonna be mirrored from your Azure ad. Yeah.
And, and by the way, very good that this came in as a comment from an online attendee, because then I can repeat the comment and not say something. I Okay. Okay. Which where I'm not exactly sure whether it's already public, but the comment is we are currently using Azure active directory of Azure ID domain services and looking forward for the preview for Microsoft about ELD up for Azure ID and curb resource at Azure ID. Wow. Which is wow.
So, so it is not the information I provided is it's one of the online attendees. Yeah. Yes. But that also might clearly change the play. That'll be interesting to see how they do over the web, but I'm sure they've yeah. That'll be interesting to see. Yeah. Yeah. So there's some interesting things of obviously coming up. Yeah. According to this comment, Comment on that.
I mean, so ready domain services is basically the idea that you can, it helps you eliminate your on premise directory by having a almost full featured. There are a few features that aren't there active directory in Azure that you don't have to manage. Basically Azure handles keeping all the objects from your Azure ad in sync, in this active directory, which supports LDAP and curb growth and even the passwords.
So you have, you know, single a single password, a single authentication, but, and then you can lift what they call lift and shift things from on-prem into the cloud that still require legacy authentication, but you're just authenticating against this Azure ad domain service, which is a service that you don't really have to manage or think about as much as on-prem ad. Right. Exactly.
And I think if we look at that picture, if you look what's what is missing in this picture, I think that that should be just quickly wrapped up because when this is a Microsoft vision, it's obvious that this Microsoft vision does not include any IGA part. There is no, no proper full lifecycle management on this picture. Yeah.
But, but I think we also need to be fair. Sure. It's from 2018. Absolutely. Yeah.
So, so when you go to 2021, so we trust released our leadership on Ida IGA and Microsoft didn't, didn't really score as the leader in, when it comes to product capabilities for IGA as an Ida service. But it's also not that they are don't that they don't deliver anything.
So they, they are catching up. And so they're delivering capabilities in that space. They're interesting question is, is what they have, what they have, what they will deliver. Good enough for what organizations need specifically good enough for complex hybrid yeah. Environments. That's where, where things really, really become interesting because managing some cloud applic occasions by ask him is it's not as easy as it sounds if you're honest, but it sounds still as the simpler part, but it gets really interesting when you have whatever mainframe. Sure.
And that is on the other side where you need to look at as well as for instance, the deaths and excess governance, etcetera. So by the way, also discussion, we have quite frequently with customers about this.
Can I, can I rely on that or shall I maybe wait two years before I do something? So this is, I think also very common discussion.
We, we are seeing, and this is not in the picture. I think it's 2018. It is not that Microsoft is, is nothing doing nothing. They're not yet the leader in that space. Clearly there are others, according to our trust recently published research and comparison for this market.
But, but we also must not underestimate Microsoft. I think it never was a good idea to underestimate Microsoft. No.
And, and one thing that you mentioned earlier is that the, the paradigm that Microsoft thinks in for IGA, at least currently, I don't know what they have on the roadmap is, is within a directory and within a tenant, it is not a meta directory. So the concept of that Azure manages IGA for the objects within Azure.
So if it, even through a skim connector, when it's provisioning into like, let's say SAP or something that is skim, if, if it's skim, enabled that the Azure, you are defining that external system as an Azure app. And then, but O it only knows about the users in Azure or the groups in Azure that you're assigning to the app, so it can push them out. But it does not know who is really what's out there. It only knows about its objects. It doesn't really have a view of the world, the external world to assess risk, to manage the compliance, to, you know, automate the life cycle.
It's more, it's managing its directory and pushing where needed, but without a vision of what's out in the external systems, maybe that'll change. They acquired cloud knocks, which is multi-cloud, but we'll see where we'll see where that goes. Yeah. I think that, which was by the way, an interesting, interesting acquisition, because they, they acquired one of these key C I E M. So cloud infrastructure, entitlement management vendors did this relatively early. So yeah.
So yeah, investing heavily, I think we, we, yeah. Yeah.
And, and the thing I always say is, you know, I think last year Microsoft said we have more than 10 billion in identity and security and revenue. So they are definitely one of the largest vendors in this market these days. Right. Not to underestimate, not that this is the only or right way and always right. Way to go. But it's in, these are the things why we here to discuss, what does it make sense? What are the bros, the cons, the strengths, the weaknesses, where does it fit? Where does it bad? Do you need to be careful an interesting point from Patrick?
Just about so reconciliation is a difference. Yeah. So to speak.
So what, what is happening on the other side, getting data back, there are many, many things to look at, Right? Exactly. And I think you're way too, too, too innovative as of now and way too strategic.
As of now, we're just laying the groundwork. We're looking at drivers, we're looking at why people are doing that. Something is missing. Usually there is something like a one identity standpoint, power ID, whatever that does the life cycle management here. And that pulls pushes identities in here. And there might be some additional access management here. There might be some additional access management here, maybe they're synchronized. So picture is complex. Nevertheless, people are moving there. So how to deal with that. We did our homework before we started this workshop. Of course.
So these, this is a list. I don't read it out. Don't be afraid. So this is the list of, of typical functional drivers in this digital transformation, reality that we connected. And if you just have a look at that, and if you find additional points, additional items, additional points of interest for yourself, just keep them in mind to make sure that all of this is covered.
So this would be that for example, windows, hello for business, which is a major drive that we see in organizations, easy onboarding of, of a stronger authentication, even, even easy onboarding of new users, but just wing waving, smiling. But again, there, there are alternative options. There are others, others, which They are, but they're expensive.
It, it kind of goes back to the days of the Nobel network client. If we remember that Nobel network, great network operating system, but you had to the windows integration, you had to have this clunky network client to handle the login process, which admins didn't wanna manage. They'd had a few issues with bugs, and eventually it went out that why do I re I'm gonna lose functionality, but I'd be willing to give that up for maintainability just to do a native windows login.
And so if you go with something like hyper or one of the vendors that offer that strong MFA and biometric on the desktop, they're expensive because they're not gonna make money from other licensing. So they have to make their money there. You have to deploy software and that, and you have to manage software.
So it's, Yeah, I think it, it's always looking at a use case. What is your environment? What are you, what do you need, where does it fit in and, and making conscious decisions? I think this is, this is really the point. Yeah. Here's the question, I think. Yeah. Sorry. And I think this is what we really want to help you, that, that you, that we bring in our perspectives for your decisions, because at the end, you need to make your, your mind about what is the right for your organization. And that only can be done with all the detailed perspectives.
You have, the detailed challenges you have in your organization. There's nothing we can do just by, by a generic thing, a generic perspective.
Sure, sure. Yeah. It's business.
And, and so, so as I'm said, we have seen so many different scenarios, different use cases, different requirements. Some of them, I feel sometimes are easier to answer from me. Some are really somewhere where you need to go very much into detail and, and look at what is the way that what maybe also the transition architecture and, and that might be also a long term transition architecture where you say, okay, I have on-prem legacy for a while.
I shift something to some of the whatever cloud delivered domain services over time, try to retire that, but we'll still keep something which is supporting the legacy world for a really long time. And this might be a whatever three, five year, eight or 10 year plan. Maybe if you look at the, the, the, the innovation speed in OT environments, this really might be something which, which is more thinking in decades than in years. One thing I think we don't have on here, which I just thought about is at a lot of organizations develop in-house software.
So, you know, that helps on your strategic decision, whether you're aligned with, you know, Azure, or if you're more of a Java shop or a Python shop or an open source shop, whether or not how, whether you're getting additional benefits for that aspect of the business, by putting more into Azure. Yeah. Which also by the way, opens a totally new topic, which is if you, if you develop these digital services. So until now we, we probably took more an employee plus partner.
We had some discussions about partner perspective, but, but when we take more customer consumer perspective, then again, we might end up in a situation where we say, okay, there there's something additional, something different we need to serve these needs to, to build the digital services against sort of an identity platform that is again, a different play. And so I think this is also something which where you need to be very, very careful and conscious. And we had this IOT question as well. So clearly also the question is where to better stop.
So really putting all X into one basket or does it at the end, maybe too much, as I said, there's not a, not a right or wrong answer on that. Yeah. There are some things which are super clear, as I've said, if you have micro 365, you have ad what you do with Azure, then that's, that's the, where the discussion starts and there are options, and this is what we try to do today. Absolutely.
Or Here, so let's proceed from here. Right.
So just, just not thought, because I see privileged identity management, if you've attended EIC before, or if you read what these Analyst guys typically typically publish in the last recent, in the recent years, we we've been talking about privileged access management quite, quite a lot. And if you have an ad and if you have a traditional IGA, you most probably not necessarily have a patent solution in place when moving to a D there comes some basic and not so basic privileged access management functions with that.
So just by moving towards AAD, you might be at a good enough privileged access management Or not, or Not, Or Not. That has to be decided exactly because it is, it's gone away. There it is privileged identity management's in there, there are some functionality just to, to distinguish whether this meets your needs, meets your requirements, your yeah. Your external requirements, your, I don't know, regulatory requirements.
So, but, but it's better than yeah. What, but again, it depends on how does your world look like, and, and we see this, this fundamental sort of evolution in Pam, this team thing, again, we talked about prematurely tries to unify this perspective. So beyond having here something here, something here's something, but really privileged access management, which visits server focus will have to evolve. And it's evolving, honestly, when we look at what, what all the vendors are doing in that space.
So, so it is clearly also that we see, see, see shifts here. And again, this, this will lead into questions over time, which then are, so how do I proceed here?
How do I, how does my strategy around dream team Pam look like in the future and whether or not Azure ID Pam play a role shall play a role in that. That very much also depend. That's what Mattia said on your requirements on your organization and where you are, what you have, maybe also what you learned from traditional Pam, where it became sometimes a little overkill. So I don't see that many organizations very actively using session monitoring and session recording and practice.
So, so many have it under Blan. And at the end they learn it's from a manpower perspective.
It's, it's really tough. So, so I think these will be questions which also pop up over time.
And again, I think it is then making conscious decisions. And one of these points always clearly is also, is it good enough? So this in some areas and we discussed this around Ija, it is not the leading product. So the question will be, is it good enough? Are the mass criteria met?
You have, or not. We have seen very different results on that, depending on what the requirements are. But we also have seen situations where, where ID to be very clear, really didn't meet quite a number of the mass criteria, depending on what, what you need for certain, for certain types of use cases. And this is, I think always also this discussion about is the, the, the benefit I get by complimenting things big enough to justify the investment. Because if you have modern two things, one thing, then you paid for more than one thing you need to integrate. You need to make it work together.
All interesting challenges. On the other hand, you need to be good enough. At least you need to have the right stuff in place.
And, and so a complimentary strategy also is something which I think always will happen. My, I think most organizations will not just have Azure ad in the future, but Azure ad plus various components. I think we had this for ad as well there, if you, if you're realistic, there haven't been that many areas. We had so many vendors of admin tools and security tools, etcetera, as around the OnPrem ad huge number because you then, again, need stuff around that. Yeah.
So, so, and again, as if said, we need to make this work for, for complex multicloud, multi hybrid environments, and always look at how do this look in, in our, in your organization, our organization, relatively simple, that respect We're closer to her. Yeah.
So, so it's really more or less a pure AAD shop. Okay.
But yes, you Need, yeah. Actually That chat. Yeah. Nothing in there as of now. So please contribute please. Before I switched to the next slide, are we missing something here? Functional drivers, final chance to add some, if not nonfunctional, just the pragmatic side. I think price, it usually is already there. You have to pay for that. Sure. But it's already there. It comes with M 365. It comes with Azure. It's there. So these are non-functional drivers. It's just pragmatic. It's there. This is more already something that you'd have to do on purpose.
This, this is usually yeah. More or less just the it's it's there. Once you have it, it integrates with many software as a service services. So you really can just reuse it. It's it's deep involvement with windows 10 and windows 11 is, is really an argument for, and it's not a functional, it's just convenience. It's management of devices. It's management of your users. This is more contractual part.
You have an established vendor relation with Microsoft because of this end users are used to this type of authentication because it's this, it looks the same, like logging onto your favorite online shop, more or less so flat learning curve contradict me in any case. When, if you think this is wrong, it's improving standard support. Usually Microsoft came with that, that notion that it's standards, but a bit different, but that's not no longer true. The standards are fulfilled. You're really getting better when moving towards an AAD and then strategic points of view. This is also nonfunctional.
So if you have a mobile first strategy, it surely helps to use an AAD. It's not the only option, but it's a good option. Cloud first strategy. Same here comes with Azure, comes with cloud first, finally post pandemic, remote working experience. So we had to learn at the hard way, many moved to Microsoft, 365 to Azure, to cloud based working instead of having 32,000 VPN channels into the on-prem network. So this was the other option. So this is something where you are just already in the position that people are now used to working remotely.
And as we are using teams right now for that platform and five behind that missing nonfunctional drivers, why are you using it? Because for these reasons, other reasons, just to make sure I don't want to there's somebody Got it just a sec. Speaker 11 00:51:50 So one driver that we have, and I think there's other companies as well, is that we have a lot of, of different operating companies that run their own ad they're on their own access management solution historically and Azure ad was a chance to actually get all the users into a single place.
So that's when new applications that cross opco, they can get the data on the users from one place and not having to right. Separate integrations into all of the different X management system. So it's consolidation. Yep.
Okay, great. Thank you. And this is awesome. Just nonfunctional. It's just a way of cleaning up the mess.
Okay, great. Thank you. Any other points that we're missing here?
So we, we have one comment in which does an interesting one, which broadens the topic a little, which does, okay. We are currently more talking about corporate perspectives on Azure ad governments also have a interesting challenge here, because then it's also about the citizen's public IDs and stuff like that to be brought in, which is another challenge, which is another bla in many, many respect. So it is something also at the end.
The questions also is for instance, from a government perspective, and this is how, how good is it when it comes to the specifics here, keeping the individual rights, stuff like that, which also all coming to play here. That is a question we, we just received via, via chat. Yeah. But I think we, we have, we have quite a number of drivers collected. We also have already discussed quite quite a number of aspects around Azure ID and, and the strengths, the weaknesses challenges, et cetera, Matthias, maybe we Move on, Move on.
Yeah, Move on. So as you remember, just going back to that slide, we have we're at drivers for moving a, to the cloud. So that is, and this with a distinction between AAD and a, and understanding what we have on-prem and what is available in the cloud and what much more AAD can offer. And what's still missing. That was the reason for these slides that we've seen right now. So we are the typical nonfunctional driver. So we come to from ad first to AAD.
First, is there really a possibility to, to switch over to an AAD, getting rid of ad, do you want to do that? And how can you do that? Is the strategic or not. This is nothing that we can tell you, but we should discuss the different scenarios that, that are resulting from that. So having, having a look at the time we have a three and a half hour workshop we have one hour spent. So it might be an idea to do a break now to another hour, do another break, do another hour. Then we have two breaks in which might be quite good. So I see at least positive reactions from the roof.
So let's start, I would say at 10 minutes, past 10, right? Again, so also for the, the online participants, we leave the remote, grab a coffee at your own coffee machine at home or in your, in the office where you are. Right. And we will back at 10 minutes, past 10 Munich time. Munich time. Yes. So in 14 minutes from now, according to the clock of my computer Building, you have to return And wear a mask. Okay. We are live already. Right? Yeah. Great. Thank you.
So Lots of drivers, lots of laying the groundwork for where we are when you come, when we come to looking at ad and AAD, and now we're taking one step further thinking about from 81st, considering that this was the starting point where most of you yeah, yeah. Really, really started off from, to the option of moving towards AAD first or more precisely to assess your strategic role of an a D that is most, most probably the interesting part of here.
So the question is in the sub-headline should Azure ad become a central element in your access management strategy and which role does it play in there? So does it just extend the reach of your existing directory to the cloud? Or is it really just something that stays in the realms of Microsoft 365 of 365?
So if the question is, if Azure ad is to become more strategic, because of the reason we've seen with the functional requirements slide that we've seen before and very important, who is in control in the organization of the actual identities, their access, who does control that is a, a D a ambassador of data. Is it a provision system? Is it a slave in some kind of way or manner?
That, that would be the interesting question that I think that should be something to discuss More about as you better speak to that screen and that camera, by the way, right? Yeah. Okay. For the online audience, otherwise they I'm wearing glasses.
This is, this is much bigger. Yeah. That's true. Same trouble as I have here, But you you're absolutely. Right.
As I said, I'm still better tested for, for, for these, this type of workshops. Patrick has on a clear advantage. He doesn't wear glasses, but I have the hearing aid. Okay. More hair also. Can't have it all, I guess. Yeah. Those were the days. And the question is, as, as we've talked about that as well, what are the benefits of changing to AAD first or to AAD only if possible?
So that, that would be really something to, to discuss in more detail. And that is of course, a strategic decision to be made for every organization or group of organizations. What is the proper timing in terms of cost, effort, and benefits, what to do when and how to do that along a roadmap, timeframe, maybe if possible, get some of your input. What are your thoughts currently for your organization? Maybe we can collect that a bit, get more interactive, just to get more input and to react upon that.
Also, are there any, any strategic measures from your side? What are you doing within your organization? Not to give away too much, not naming the organization, just so that we learn how strategies differ Between the online attendees, raise your hand and, and we can tune you in. If you want to share your perspectives, Don't be shy. I'm neither Anyone you need to keep the microphone. Patrick formally, what is it for the hygiene rules? You formally should keep the microphone in the hand. Okay. Okay. Next time. Yeah. Next time. But it has been, that's a good idea.
Been freshly doesn't Speaker 12 00:59:21 For us. It's a mixture of these questions here because we used Microsoft office 365, and therefore we have now Azure. And because we have Azure, we want to use it more in the future. And so strategically AAD will get, will become our yeah. New identity provider. Cause all the functionality of conditional access, MFA, the users know how it works and therefore is a strategic strategically way forward to use it. But within layer of pump and IM or IGA below what is managing all the access.
So, so consumer, So, so what would be your, your concerns, your, your things where you say that might be a challenge for you in moving forward? So, so are there things where you say, okay, we are going that past, but this is where I want to, or where I need more information where I'm concerned, where I feel I might not need something different. Is there anything you can share around that? Speaker 12 01:00:20 Yeah. We try to harmonize our, or consolidate our active directory a little bit or have one, one single tenant for the whole group.
We have many companies in our group with own it, own active directory sometimes with own tenants. And now we try to build one single tenant for the whole group. And this is something from ad consolidation. 10 consolidation is of course data, privacy topic we have to discuss. And also the strategic way, how we use it because we have mainframe. We have a lot of applications on premises. And then it's way, how to you, how to define the, the border. What is used internally? What is used at a D as identity provider?
And they asked the discussions on This and also all the interplay, which by the way, also, just to, to bring it up there various ways also for, for long-term transition strategies are our integration strategies. So some of you have, might have seen this, this picture of the, the identity fabric we, we are showing around quite quite frequently.
One, one more slide, one more slide. Okay.
And, and then we can touch it because Alsos one element, there's another, another hand raised or in the back, Speaker 12 01:01:42 You want me to just hold it, We ask for chicken, hold it, join. And then we have a comment also from the online attendance, which I'll grab next. And we have one hand raised, start, start with him, start with Speaker 11 01:01:57 Them.
So one, a global retailers, we have about half a million users in the, our Azure ID. And we are using as a platform. One thing I would like to understand a bit more is around discussion about integrations with applications. So we are moving more and more into yet based integrations. So basically not having any real integration, but standing the relevant attributes as part of the Sam IDC. And then basically requiring the application to the cleanup of the data in some form or shape or manner. And I'm interested in what other people are doing in similar situation.
Is this the way forward or people looking at scheme integrations or similar? Great, thank you. Okay.
Then, then we, maybe this is, I just look up the name pop, which if you want to speak, just unmute yourself and we should kind of come, listen, can come in with, or without camera and you should be able to speak and bring in your point. Speaker 13 01:03:03 Yeah, I hope I'm audible. I Speaker 13 01:03:07 Okay.
Yeah, actually we are already there. So we have Azure ID and active directory running in parallel. I think the main challenges we definitely have is the application factor, meaning that a lot of applications using legacy protocols, legacy authentication, especially held up. We also have pump solution in place to yeah. Deal with the privilege access management for either Azure and the active directory environment and identity management wise. We also have a leading system which is sale point, which is in front of all the post systems.
So we are more or less creating accounts and say point moving them over to active directory. So creating them there via say point. And then those accounts to Azure active directory so that we have a one to one relationship between the different systems Okay, so this, yeah, that sounds like a real elaborate solution and it's life cycle management and Pam and, and the provisioning towards ad and two ad to AAD. Sounds like a well thought out concept. Can you elaborate on that as well? Speaker 13 01:04:17 Yeah.
The been sets of the idea is really to have a one to one relationship between the different systems so that we can more or less do not have cloud only account at the moment due to the fact that we are still in a hybrid environment here, especially when we are looking at the privilege access management, for example, there. So it's quite difficult sometimes to differentiate between people who needs to access service, which are still located at data centers. So meaning OnPrem or whether they are not now about also to use service within Azure.
So within the cloud environment, and rather to have separate accounts for each of the environments, we have a one-to-one relationships and either their accounts can be used through the pan solution to access those boxes. Our actually goal is to get rid of active directory by end of 2022. This is the official statement. Not sure if you get to this point to be frankly honest with you, having in mind, the, the issues we currently facing is a huge amount of applications, but at least be clear down already two data centers and two data centers are still remaining.
So one will be decommissioned this year and the next one by end of next year as well. Can you share the, the, your, just, just your, your vertical and the number of identities? Speaker 13 01:05:32 So we are from the energy factor and we, we have around 20,000 employees and users in the systems, 20, 30,000. Okay. Thank you. Thank you very much. That sounds like you are already, almost there At least you're, you're definitely Speaker 13 01:05:50 The windows 10 office 365, all this kind of stuff. Yes.
Well, conditionally access Did quite a piece of your journey. Definitely. Thank you. ANCO. And so we have also one more comment here, which is we would like to have a centralized location where we can administer all company identities. So Azure is the single source of Drew's for applications notably. One of the other online attend is put a hard to that expressing it's not only the wish of the one who has been commenting. So this is one of the other things. Okay.
Further, Further comments. What, what do you assume for the role of AAD in comparison to a D and additional, as we've seen, we've always have these additional systems actually taken care of the user lifecycle, as of now with the current reality single source of truth, expected to be AAD, at least for authentication purposes, not necessarily for the full user lifecycle. Is this common sense in this room?
Or are there people that saying, no, I would do it completely different just A sec or in the virtual room in the, so if we talk about room, we mean, so to speak the whole world, the room and all the people who are listening in. Yeah. Sorry. In our company, it's for new applications, we go of course, towards AAD and have a D is a single source of truth for the applications, but for legacy applications here, they die hard. I expect that when we, with the gradual retirement of the applications, that we will then migrate over step by step. Sure.
Okay, great. Thank you. Any other opinions? I will look Speaker 10 01:07:51 Just to say it again. We made the choice to not do that, not put a D in, in front of everything, but have it as a, of a second system, basically, because we have our major directory in OnPrem still, and that will probably move to in this case, Okta as our main identity provider, the entrance points for all identities. And what we are looking for is actually to provision to AAD from Okta, from Okta, if possible, which see a lot of problems there.
Yeah, yeah. Which is a way we also see, see this custom in a couple of organizations. I have to say that or that there's something else plus in place. And I think this is, this is always then the question of what is the right way to proceed from here. And as I've said, there's not the, the one right answer because at the end of the day, there's still not the perfect system out there.
So all of them have there strengths and, and their weaknesses, as you always can see in our leadership encompasses clearly vendors always feel that we, we are to read them unfair, but if all say you're unfair, then we're probably quite fair in what we are doing. So, so at the end of the day, this is clearly one of the things we, we, which can be, can be seen. And I think that, as I've said, there are different ways and it's always looking at which functionality. And I think this is an important point maybe before that at the end, the end entire discussion.
And we had this high level list of, of nonfunctional nonfunctional requirements. And at the end of the day, it's really the recommendation start with understanding your current and your future use cases. So really look also at what is happening, what is trending like, oh, we need to get a grip on the multi-cloud multi hybridy work. We need to do that.
We need to, that we have the customers here, the citizens, or all the other things we need to, to bring in how we save for, for whatever regulatory changes, collect all these functional nonfunctional requirements or roughly the use cases and, and walk through it. And then, then look at where you are with the different options. Compare this, make this really also more detailed, because this will pay off. On one hand, you will feel more confident in your decision you've made and you potentially can make a better decision, because then you look at us at details.
Also recommendation don't end up in spending then weeks on a single technical aspect. Sometimes this isn't what happens to very geeky discussions. But the other side of that is we all know that every churn is a product, was an identity management product. Sometimes my may get bumpy at a certain point, always, always has bumpy patches. Definitely.
Yes, it, it is just reality. And the point is when, when, when the weather gets rough, you need to have a good stand so to speak. That's the, the captain of the boat. And you only will have to good stand as the captain of the boat when you're confident in what you're doing. And you only will be confident when you have carefully evaluated the various requirements and have the answers in place, at least for most of the questions which come up when, when you, when you don't do that, use case requirements, parts, roughly this is always what puts you in trouble when the weather gets rough. Yeah.
I I'm clear expectations. Yeah. Yeah.
And, and, you know, you can better argue, argue than for, for your decision and, and you, you have better reasons for having the stakeholders on board. Yeah. And I think what you said before, the break that everyone's looking to not overshoot good enough, but then everyone has a little bit different requirements for good enough. Especially based on industry regulations and requirements, the, the banking good enough, or the defense industry good enough is very different than good enough in other industries.
So, Right. So, so we have, we have two interesting two interesting comment here. And so the, the one is we have a centralized IDM system, more comments to come in, which, which provides to AAD. So our truth, this system, and the AADs only one of, a lot of targets such as, and ad cetera, they get a pretty good centralized life cycle. So in that case, it's, this is multi IGA perspective in that case, but which says, okay, we, we have this and this it's a little bit in the same direction as you, one of the people in the room brought up saying, okay, we have this IGA solution.
And we provision into the ID world. Again, what is important is always, we need to keep in mind from a perspective, we have two major pillars. At least we are always talking about one is the access management piece. So where do we authenticate people? Where do we federate from? Which can be actually, and what is the sort of the IGA part. And behind that, we also have the question, what is our, our, our repository, where are our identities? And this is also where, where another comment from, from the online audience goes in which that's, which is a fair comment.
I wouldn't say, or an interesting comment to be discussed. I wouldn't say a Azure ad contains any identities at all. I realized that some people build a model where the ad user objects, our identities, but it still seems like ad and a are absolutely too much user object focused centric, as opposed to identity focused centric. I think this is a point we might pick up a little later because yes, there's difference between a, a user account and an identity.
So, and keeping that in mind, I think is a, is, is an important thing. I, I would probably disagree a little withed statement for Azure ad because we can fed out from Azure ad into other services.
So it's, it's somewhat different than the, on-prem a with respect to the notion of users and identities, but it's something clearly to keep in mind and maybe to put on one of these many lists, materials already has created hold There, AAD object, identity, user authentication object. Yeah.
So, so all with Question Mark. So, so what is that is after all identities can own and control many user objects and an a user object. And I think that's very creates still only a user object, even if it's reuse synced federated to many other places. And so there's a little bit ongoing discussion about how, how this meant, but I think it's an interesting point.
And, and then there's another comment. So Azure ID, Orta only good for us indications for the access management piece, but IGA needs more. This is a comment from one of the other online attend is saying, okay, we need more in, when it comes to the HGA part touch, which is already a little as I've said, and you have to access to our research. We have trust our leadership. H I G out where we also look at the capabilities for, for the IGA part of that. So there's definitely more information to be found here around that. Maybe may I ask you the question?
You said you were moving your on-prem IGA processes on over to Okta for doing the provisioning processes. And so, so as, as this comment said that Okta and Microsoft Azure ad are very close when it comes to the authentication part, what is the added value? I'm not discussing Okta versus AAD just to learn why you do that.
So what, what, what adds Okta? Speaker 10 01:16:01 The multi hybrid cloud is basically the reason for that because we see a lot more of integrations coming and Microsoft Azure ad is not the most integrable solution in our opinion. So we chose Okta because we can actually get GCP and whatever comes with it, the SAP cloud as well into that one Federation hub.
Okay, great. Thank you. Just to learn more for, because that changes the picture where yeah. Do you see that in practice as well?
Patrick, We see, we do see that in some places, but I mean, it's the whole good enough thing. If you have, what are your use cases? What are your requirements for application integration? And do you, do you need something like user managed access or something that's not really out of the box in the Microsoft Federation stack. Yeah.
And, and, you know, you know, I think we, we need to be clear. So on one hand, Microsoft has gone through some evolution.
So, so when you look at connecting to the on-prem world, a lot has changed over time. Yeah. But we also need to be very clear about some of the vendors which are out there for 15 or 20 years or so, or, or even have placed in the mainframe days have, have, have a longer history around that. And so it's, it's really carefully looking at also, what do you need to achieve? And this goes back again. So what are your targets today? What are your target environments tomorrow? What do you really need to achieve?
And, and then, then look at this, this is it good enough? What are your mask criteria also be very, very realistic on ma criteria.
So, so if you have more than 10 mask criteria, you should start carefully revisiting versus this is must where this is just a high priority thing, but I think this is really the analyzes you always need to do because the devil is in the detail at the end of the day. And you need to understand whether there, there are a lot of small devils around or, or, or whether there are bigger levels. What you do is this devils. Then there always will be some, some devils in the detail. And I think it's understanding how big and how many these are. Yeah.
And is, is your, are you most important use cases for Federation B2C? Are they B2B or is it the integrated desktop enterprise experience? Cuz then you have to think about they're coming from a managed corporate PC. What's going, what are the advantages and disadvantages of different options there? Yeah. Okay. So yeah.
And, and I think there's also comment, which is fair. One might argue that Okta has better life cycle management capabilities in Azure does in its current state, we might argue, we might also argue there are some other tools out there which definitely have a better life cycle management without any doubt. I think we, we, we can, can very clearly status. The current state is also an interesting thing, always because I think when going back to number three on the bullet point list, the strategic thing, then, then this is, this is clearly what I see from conversations with many customers.
This is the, the big challenge saying, Hey, it's really not good enough today in some cases. So this is a little bit the notion sometimes for some use cases, at least.
But, and, and I think this is, this is really something which is also not that easy to answer because, so the question is when, and to which extent will what be delivered in the future and what will you need. But again, I think you kind reduce the risk by careful evaluation of your requirements for today and the future and, and also the transition architectures.
So, so how do you move from where you are and which timeframes do you do? Do you need to do that? Sometimes you have a very short period of time where you need to just get things up and running a totally different play than when you say, okay, we arrive, whatever retire my tool X in one year, two year or three years, doesn't matter that much. It gives you a totally different play. Also in this discussion, sometimes you, you just can say, okay, come on. Let's wait another 12 months and, and postpone a decision which some of our clients did. John Oliver says, moving on, moving on.
This is an assessment that we did per now this is not a view of the future. Things are changing, but to explain the bit, this is our, my copy, a call, I am reference architecture. And the important thing is to understand this is core IAM. This is related extended system related systems. So we are looking only at that area. So we think directory services, privacy and consent, sot controls management, all is part of IGA plus plus core IM. And we did an assessment of how good is Microsoft Azure ad.
As of now, this is not bashing that is not praising. This is just assessing what we think the current situation is. And if we do that, we have strong coverage with his fully filled block, good coverage with his tiny scribbles here. And this is limited coverage. And if we look at that, we see where Microsoft Azure ad is good and where there is room for improvement. And that is also something to keep in mind. This is not really a recommendation. This is just something an aid to look at when we really want to make sure how to understand where it's good.
Maybe one of these is not as you would assess it as a tool for making sure that you understand what it can deliver as of today. And if we look at that, he said, shall talk to You. It looks like a slight doesn't come over.
Well, it should be, I think every attend, you should see the, the video and the slides. Isn't it. Speaker 14 01:22:16 We're switching. Okay.
So, so maybe in that case, you go for the slide first, because the slide, the slide is more important than Matthias. Yeah, Speaker 14 01:22:30 Probably it won't get Ah, okay. Speaker 14 01:22:35 On the other side, but can put full speed. Yeah.
I think, I think it's preferably for the slide that At least for this one Density information. So when we have complex graphics, probably better put the slide in Front, right? So I want to pointing here with the, with, I think for some reason people care more about a slide and about seeing Matthias. This is perfectly fine. This is perfectly fine. So if you look where, where, where ad is good of, obviously it's, it's in the directory services part because it's, it's a data store and it does that very well. It's performance.
It's, it's scalable, it's failover capable. So this is really good. It's of course, really good, because we mentioned that as one of the key criteria, why they people do that it's adaptive and strong authentication it's access management. When it comes to identity Federation, there it's very strong. If we go down the ladder one step it's it's. It's good.
When it, when we look at access management for WebEx access and legacy for delegated administration, yes, it is getting better. Their self services are, are improving for Azure ad as well. User self services, quite well, identity like access governance and, and privileged access management is there it's, it's basic, it's much more than many organizations already have. So that is where Azure ad could add some, some, some additional functionality without any additional work to do. So that is just a tool to assess where Azure ad is.
If you disagree, please tell me if you think that it will change over time. Yes it will. And then this assessment has to be redone, of course, but this is what we did as part of our advisory slash research work, to make sure to understand where it's better. If we did the same for, for example, for Okta or any other identity IQ or for empower ID in the cloud, to see where our functional overlaps, where our augmentations of functionality, then that would help as well just by adding another color and adding another solution to understand where we are right now.
So that is just help for you to understand where, where you could improve. And this reference architecture is really helpful and you can find it in our publications, of course, as well. This is nothing, no secret sauce. This is just a tool for, for moving on. If there are any questions or comments or contradictions, please let me know, Struggling slightly with that slide. Doesn't come through that clearly as it could be It all.
Oh, okay. I had one, one question.
I mean, just the show of how many of you are using Azure PI. I'm just curious. Okay.
Two, okay. Anyone using the entitlement management part yet?
The, the requestable resource bundles, entitlement bundles, Bundles, like, like Sentinel already, or Say again, Bundles like Azure Sentinel already, or we talk Azure ID. Yeah, I think we are. Okay. Okay. Those are some of the newer features, just curious to see, and I sod's coming, but again, it's the good enough, it might be good enough for some people, the approaches, they get a feature in there, they get user feedback and they make it better, which is a, is a good, great approach. But the sod is very course great.
So it's between, you can't have this group as an example or this group, and, but it's only within a tenant when, without some of the, the business context that you might have in more traditional sod engine. So might solve some use cases, but maybe not for other people. Exactly.
So if we, if we take a step back and look where we are in this workshop, we learned people have ad people want to move to Azure ad for reasons reasons are on that wall. And on that slide that we've seen, we've looked at what might be missing, what are potential requirements that imply strategies to move forward. And then we need to move forward to another topic unless Martin disagrees, I would like to actually go to that point, ad keep or retire. So we've heard different approaches ad will remain ad will remain for reasons for legacy applications that die hard.
As you said, here it has has gone. So there was a clear change towards I IDAs and Azure IDs being the authentication part. So maybe we should have a look at that as well. And again, this is not a one size fits all. We need to understand that every day organization has to make this decision on their own, but maybe windows server ad, do you still need it? We've learned some, do some don't, what are the reasons and what can we do with that? And that is the reason that now we are moving closer to this, moving your ad to the cloud part.
So how to look at, at infrastructure and, and architecture scenarios, how that, that could look like with the standard solutions that Microsoft provides and maybe with additional solutions that third party vendors, but maybe also just good processes can support to get to a proper solution. As we have seen, I, I really like that thing that we've heard from this energy sector, IGA provisioning into ad having Pam in place, legacy apps, authenticating against ad, and then provisioning into AAD. So that is, looks like a well thought out concept could be, could work for many, but not for everybody.
So why keep on-premises ad for which use cases? We've seen that in many times when it comes to operational technology to the factory floor, there are often very, yeah, old, sorry, old applications, but they do their work. They are really essential for example, on a factory floor for doing just production tasks. And they are still running on XP. They are not patched. There are not connected to the internet. They are just talking to an ad for authentication purposes. That's it? Yeah. So for factory floor is the, the usual thing to do legacy applications. That is where you come in.
Legacy MFA often is a reason because these old smart card solutions not necessarily play well with Azure ad. That is not. And the question is in the, in the end, how long do you want to keep this? And is there a way out of that? I asked the question, how many cannot get rid of ad. That was almost everybody except for her. Right. Okay. So next step architectural options. And here I need your help.
Then We have a look at what is in place by Microsoft already to support you in, in getting to a more smooth transition over to, to a combined world, which, which, which makes sure that ad and Azure ad with their different models, but at least for authentication purposes, et cetera, how they can work together. First thing at DC in the cloud, a domain controller running in the cloud. I think you have experiences with that as well. So first of all, what, what is it either? You have a, a slave domain controller or a, a trusted domain controller running just on IAS.
So it's just something that you deploy somewhere else. You have a trust relationship with your on-prem DC and your cloud DC, and keep that in the cloud. So the Tobi to be open, this is just taking from Microsoft standard documentation. I did not paint this nice picture, but the idea is really that you have an on-premises network with an ad server or a set of ad server, a gateway, another gateway. This is cloud. So you have a virtual network and you get to actually to a VM running the ad service. And here already, we have a look at that later on as well, adds being in place as well.
So this is the bigger picture already, but you could move without having to run it on-prem you could move a DC into the cloud. So you deploy window server on a VM. You virtualize adds you connect via a VPN and you make it highly available. And then you have a DC somewhere else without to having, having it to run on premises. And of course you could in the long run or in the short run, get rid of this as well and have this as your master DC without having it on running OnPrem. Does this solve your problems that we've seen on that slide? I don't know. I don't think so. Just moves it. Yeah.
Your experiences with that is this is this, is this in place? Do, do you have to deal with that?
People, some people do this it's basically, I mean, usually just to appease an executive mandate to check a checkbox off that you have it in the cloud, but it doesn't really solve many problems. Yeah. Great.
Martin, any comments from your side? No, I honestly, I, I don't see that super frequently, but there are, there might be scenarios anyway, where it's relevant because at the end, if, if you really say I do something new, I don't want to have the data center infrastructure, but I have all these old stuff and I need to connect it. And then there might be options where you say it's the only way. So I think about OT, I think it's, it is a way to go there. So it really depends.
I think, on the infrastructure and the end, the use case you have. So we shouldn't, we shouldn't diminish its and shouldn't go over to top here because there are use cases when you really need to sort of speak a traditional ad world, but you don't want to run it on premises anymore. And I would say, I mean, a better option might be the Azure ad domain services for That case.
It's like, Yeah, yeah. Right. So if you look at the pros and cons, of course, these are just headlines that we Discussed. Yeah. But there's one, two hands raised already. Let's look at a chat. How many hints are raised? None yet. Yeah. It might be simply a necessity. If you go for a lift and drift approach of moving legacy applications into the cloud. Of course that's not the ideal world. Everyone knows it, but that's the real World. Yeah. Right. Okay. Thank you. Come over. It's thirsty. I'm not running anymore.
Speaker 11 01:33:34 So we have, some of our up course are doing exactly like this. I have some other opcos that are lifting the ADSS into the cloud as well. So they're not using the adds because they were not convinced about cloud joining the servers. So that did a conventional approach. And obviously like the previous speaker, this is kind of what you do when you do need to do a lift and shift operation. So if you really want to leverage Azure and the more modern way of working with CICD, you probably are gonna use quite different options than this. Yeah. Right.
But, but it is an option and there's a reason why it is there. Absolutely. Yes. Any other comments? I think you shouldn't end up with this option just because, because you want to keep the good old ad. That would be the wrong. Yeah.
But, but, but, but for the reason that, that he just mentioned, if you want to move your application, that is ad dependent to the cloud, at least as an interim step, that that could be a solution. You know, I'm not the ad fanatic, but that could be a solution for that as well. Any other comments who has this in place? Just again for this 1, 2, 3, So right around whatever, 15, 20% here.
Oh, we have a no, it's already down the hand. So I here's a hand raised Nico, if you wanna speak up trust Julian. Speaker 13 01:35:02 Yeah. We have such kind of approach similar in place has been shown a bit more complex, but yeah, we moved some of the domain controllers in Azure, especially for the apps which are still using this legacy stuff so that we have an own environment in Azure for the active directory part and the services in Azure, which are hosted there in Azure. Yes. Are using this particular two domain controllers and not the on-prem ones anymore.
And only the connection between the on-prem and Azure domain controllers is in place. So they, they, they only talk to each other and the cloud hosted applications only UCS in Azure. Okay. That's how we do. Thank you. When you talk about legacy applications, may you share your, just your, your vertical, which, which, where do you have such legacy that you cannot get rid of Speaker 13 01:35:54 Get rid of? Yeah. So PowerPoint applications at the moment, also still SharePoint. We are about to move SharePoint to the newer version. I think we are still on 2013 and yeah.
Those kind of applications and some applications used in power plants and, and so on, these are quite old fashioned ones. Yeah. Right?
Like, like the factory floor stuff, this stuff you cannot get rid of very quickly because they, they are reliable. They're working there, there, and you cannot move them And you, you trust might have nothing different available. Yeah.
So as, as, as I've said, some of that OT stuff is moving slowly in evolution, as we know. So if you want to find systems even older than windows seven than look there. Yeah. You have a chance to find it sometimes. Sometimes not. But I think this is just a reality we need to deal with. And this is really then an option you may have as well as with, if you have, for instance, also homegrown legacy ad, fully ad integrated applications, then as part of a lift and shift and where you say you can't, so you won't modernize these applications anymore. You need them for a while. Yes.
You know, sometimes you have, have to deal to lift with these dirty things, right? Yeah. For some definitions of dirty. Yes. For some definitions of you're. Right. Okay. Next stop. Azure ad connect, different different picture.
So we, what you do have is a, an Azure active directory. You have your users signing on to Azure active directory with all the apps in the cloud, but actually the, the, the authentication takes place against the, the traditional on-prem ad. So this is usually for those organizations who just do not want to have password hashes in the cloud. So that would be the starting point in, in general. So only if you use it by just in the default configuration, as we have it here on top, it syncs with the, the password hash for S forest.
And you can do lots of configuration to change that, to, to have an off choice again, with Azure directory Federation services. So if we come to close in one of the next slides, so that would be at least making sure that you can reuse a single authentication source across the cloud. And in ad again, from the practical perspective, from the real life scenario, how often do you see that still in place It's mixed.
I mean, it seems like the easiest and best idea you get, you know, a lot of fault tolerance cuz you have passwords in both places, but some organizations aren't comfortable with thinking a hash of the password to the cloud and I don't know. Yeah.
But mixed, mixed, Mixed, again, the raise, the hand thing who has this in place for the same reasons or for different reasons. Same. Yeah.
Everybody, I have three, three hands up. So Speaker 11 01:39:13 Yeah. We clearly have a tendency to do everything in different part of organization, but this is actually our main pattern for how we do the, the integrations. And we have, we're actually trying to move to this because a lot of our authentication is still on premise for various historical reasons. But this is the primary pattern because we are not yet able to directly provision from our identity management system to the cloud due some technical limitations. Right. Okay. Thank you.
Same just no, no, I won't go around or you come here That's Yeah. Apparently we have a, this situation set up like here, like this described here for our main enterprise ad, but we see a shift in the mindset that having passport hashes in the cloud is not that bad, but this took time. We are an old industry, same verticals, Nico PVI mentioned, and it takes time to get the customers or the business customers accustomed to it. Right. I really see the same thing. Also highly, highly regulated industries that they finally say, okay. A password is not that endangered. Yeah. Yeah. Okay.
Thank you very much. Yeah. There's a lot of the, Microsoft's put out a lot of good documentation on how strong it is or how secure it is at least to help make the case.
Yeah, Absolutely. So that, but these are still very simple integration scenarios. Nevertheless, they are one of the tools in our toolkit to choose from, to create a, a D a a D migration and integration scenario. So that would be the second one. Next one. Yeah. So maybe important comment to the, the previous one, which is also, I think important for some of you that is that there are some objects. If you use the, the, a connecting that are some, some objects to be managed OnPrem and some in a, and that the OnPrem managed are visible in ad.
So can be quite confusing to do the, to decide on what to do, where that was the comment we got. So, so the comment says, one challenge with ad connect is that we have some objects to be managed on-prem in on-prem ad and some in Azure ad. And the one to be managed, the on-prem ad are also visible on Azure ad. So it could be quite confusing to understand what to manage where Okay. Yeah. Custom attributes, Customer attributes. That's The extent keep my extensions.
Yeah, of course. Okay. Okay.
Yeah, yeah, yeah. Right. So they are of course not visible. And if they are to be maintained, then you have yeah. Two hands in two different baskets. That's true. Then you have to have your whole business process taking care of them. Exactly.
So, and schema extensions are come anyway, But we all know, you know, I've been around on-prem ad from the very beginning. And I think the, the bad word always was schema extension. Yes. So Schema extension from the very beginning brought you into trouble Then a Paul who has schema extensions and Che Many of the schema extensions didn't didn't come by by custom, but through applications and yeah. Like the poor man's database get stuff at it, stuff it in ischemic extension. Right? Yeah. End up getting messy. Yeah. I think Quick question. Yeah. Sorry.
I just have a comment on schema extensions, but not from our own organization, but client of us tries to match free eighties and they use a lot of schema extensions, I think, 80 10 or something. Okay. And they use different values in the same attributes, but so it's really hard shop to match. Absolutely. So if you really cannot no longer distinguish because of same naming spaces crossing over and then, and that could be really difficult.
Yeah, yeah, yeah, Yeah. We've had customers, I just can say yes. Stuffed whole XML into schema, ischemic extension attribute and yeah. End up making something that you don't wanna maintain years later. You really wish you would've done that. Yeah. The comment of that person from the, the online audience was yes, we are somehow trying to get rid of these extensions. Yeah.
But yes, I think it is something and, and I think we also need to be, maybe this is also good reason to, to make that shift. You can clean up when we talk about domains for steam accidents right now.
I, I think it it's in the nature of every system. If you let it live long enough, it gets messy. Yeah. And that is clearly an opportunity to clean up and tidy up a little what happened over the past decades.
So, so it's the same like life with mainframe environments, you know, you talk done with these organizations and say, oh yes, we have rag F and then say, okay, there's the connector. And then say, yes, but it's rug F plus all the stuff we built around rug F in the past 40 years.
And yeah, it's a nightmare and You'll never really know who's using that data until you turn it off the system off and then you'll get the calls. Even if you survey and ask all the app owners, they'll say, oh, I'm not using that data, but you shut the system down and you'll get a call. Yeah. Yeah. And an interesting comment is also for instance, from that one. So Nico also been speaking up, they also have ad on, turned on for accessing the, so to speak old attributes, extensions information. Yeah.
So that can be, I think this, this is really, that is the devil in the detail where we end up here right now, these are the things done on. Unfortunately, there are many of these tables in that space around team extensions. Yeah.
So you, most likely, if you have an on-prem ad also will have a few of these tables around where you need to look at what to do with Mr. Devil or how you handle them. Right. And against, do you credit given all these pictures are taken from the Microsoft website, just from their documentation, not created by us.
Next step, we have two more slides between us and the coffee. So yep. Azure directory Federation services ADFS will be getting to longer acronyms now. So we have hybrid identities and authentication via proxy. So if you look at the picture we have, oh, I have to look here. So we have the web application proxy here. We have applications logging in against, against active directory, Azure active directory. And there's a Federation trust between who applications and the main important thing is that there's a web application proxy here, which is running locally.
It Can be open right now is because it's really more retiring this ADFS stuff. But I never, ever liked ADFS. It was always far to, to, to weaken capabilities.
So yeah, I never, and really never was a friend of ADFS that wasn't the best thing Microsoft has ever built. Right.
I think, I mean, they went down new, the whole Ws Federation, they went down a different route and then they kind of ignored SAML and then they kind of had to make a left turn and then the Azure cloud was really already going to replace that they saw. So, Yeah, exactly. Okay.
Again, that's as a side note from my, the Pole ADF in place. Yeah. Okay.
This, this is this You were than expected. I would say Much, much fewer than I either you tired of raising the hand or you surprised Running out of, of CIN caffeine, so Okay. Or maybe our intro to ADFS scared them off. Exactly. The Good thing is maybe I should have made my comment later on. Yeah. Right. So I won't tell that I use ADF. Right. Don't dare. But the good thing is that that it's free. The bad thing is it requires a server license. So yeah.
But, but nevertheless, it comes with a package just as we look at, as we look at AAD as well, this comes with so much added value added services that we usually don't consider to be part of AAD, but they are all included. This makes it a different game. And that was the same here.
So, so for ADF, like would, would stick to my legacy statement. Right, right. And okay. We had already some comments regarding this, a DS as we see acronyms getting longer AADs so after the coffee break, we have the ones that spill the entire first line. So what we have is actually we are providing parts of the services that an on-prem ad would provide to applications, including these legacy authentication schemes, being elder, being NTLM being S being provided as a service from the cloud, which is a new service. This is not an integration with an ad.
This is not a, a, a, a synced version of an ad into the cloud. It's really a newly deployed ad domain service scenario that is provided to legacy applications.
And, and you can actually then reuse Azure ad identities within the ad domain, a domain services to make sure that you can reuse quite the other way, round identities from Azure ad within an ad use case scenario, which of course requires some, some work because what you actually want to achieve lift and shift your ad to the cloud, not that easy because you have to take the full circle to Azure ad and then back to the ad DS services. And that might require some work. And we had some, some comment regarding the domain join of, of, of, of, of, of machines.
And that of obviously also has some limitations. And Yeah, the question is so, so I, I would be careful in, so when I, when I set up something to keep domain train alive, I would carefully consider this is the right strategic direction, because this will always be an end of life.
And, and the effort you invest here might be really invested in the wrong place I I've seen is at a relatively large organization that I'm recently, which is only caused by the fact that their, their workplace program took so long that it's before it right now becomes implemented, is already totally outdated and builds on, on very traditional schemes for, for the workplaces, which then means they, they need to, to sort of reorganize their ad with very large ad environment.
And I think the, the only answer, but no one had, I would say the, the will to do that, to afraid it positively to go to the management and say, okay, no guys, sorry, but the work we've invested for five years and defining a workplace maybe was wasted because the evolution was way faster than our work was. And because no one is willing to do they, they are doing a huge restructure of, of the on preed. Yeah. But I don't think that this is a very meaningful, strategic approach to I've expressed that some, some like me for that some not, no, that's good. Again.
Now I have to do the poll afterwards, like, Hey, who has a, a, a, a DDS in place as of now nobody. Okay.
So, okay. I said one hand, as you said, you have everything right. Got the point.
But, but if you are in, in a, in a highly fractioned organization with lots of all Turkey, then, then that happens. I assume I also would dare to say, even while I believe, I, at least in my past understood group policies. Yes. Yeah. It's also a good idea to get rid of crew policies. Yes. Yeah.
Finally, I once met and had a different role at Microsoft than I've met a person who, who invented so to speak crew policies system sometimes. And he was not overly proud of that.
So, because I think the basic idea was not bad, but he, the implementation was maybe left some room for improvement. Right. Get overly complicated and yeah. Yes. Yeah. That would be my, my last question before moving to the coffee, what do you see in real life is a add as something that is really something you have to take care of when, when you create a bigger picture, integrating all these applications and reintegrating these different types of infrastructure. Yeah.
I mean, it, we, we don't have a lot of customers yet that everyone's looking at it or piloting it, but we don't have a lot that have adopted it, but, and it's really not for the, the client authentication. It's more just for server workload, which for that, I mean, it seems to work very well. Yeah. For scalability then there. Yeah. Yeah. Yeah. Okay. Okay. So we've walked through these options and after the break, we will look at all the other aspects and look at other questions which came up.
I think we, we already touched number of interesting points here, but right now I think let's have the other, the other break. I think we start again at 1125 central European summertime. So in 15 minutes from now. Okay. Thank cool. And come back. Yeah. See you after. So let's restart. We'll be life again.
Okay, great. So thank you to all here in the room and, and the, the team's room for, for participating so actively. And right before the break, we, the kind of question, which is also related to the theme, which is, it might be an out of scope question. I don't think so, but I wonder what are Microsoft plans with Microsoft identity manager or how it should be replaced as I think it's nearing its end of life. And I think this also affects some of these Azure ad ad journeys.
It also, I think, flows into, into, to what are the options you have and, and Peter, maybe you can give us a little bit of background here. So Peter is from Microsoft and he's in the online attendance.
So Peter, if you unmute your microphone, you can speak. Speaker 16 01:54:57 Okay. Thank you very much. Yeah. Thank you for having me. My name is Peter Lansky. I'm a senior program manager in the identity division at Microsoft. So that product group, which builds adjective directory and runs it. And to the question about the, the future of the Microsoft identity manager or Mim for short, it is true. We do have kind of an end of life date. We have not officially announced kind of when we will stop supporting it because we know that a lot of customers are still using Mim heavily.
We are moving more and more workloads towards adjective directory from what Mim did in the past and is doing for some customers. Still the latest addition we did is a way how we can reuse Thema synchronization connectors from Mim, with adjective directory, for those folks, which are familiar. If we want to do user and group provisioning towards application, the default protocol in Azure would be skim, but we know that a lot of especially on-prem applications just don't speak skim.
Speaker 16 01:56:08 They do, maybe they have a sequel database, they have some other proprietary connectors maybe held up. And what we have already pushed into a public preview is the ECMA host for active directory. And it's basically a skim client, which you can install on an on-prem server, your environment, and a active directory will send provisioning commands with the skim protocol to that ECMA host.
And then on the ECMA host, you can either connect to other on-prem skim, capable applications, or you can use one of the ECMA connectors like the SQL connector or the generic LD connector, and do provisionings against your existing on-prem line of business applications. And this is currently in public preview. And if you have questions happy to, to answer your questions, and this will be kind of more scenarios added in this way as well. So over time we want to add more and more functionalities from Mim to adjective directory.
And then once we are comfortable and have feature parity, we will kind of give a more concrete date of when we wanna deprecate and retire the, the minimum components. Do you have questions? Yep. So thank you very much for that input that is very helpful and very well appreciated.
Thank you, Peter. Okay. I would say let's proceed. Right? So we are now getting to the part where we have not prepared too much. There are lots of slides up upcoming, but the important part is that we actually have non-technical and non-technological aspects to consider as well. Starting. Usually we start with security and compliance in everybody's board and security compliance. And so let's start with the business demands. This is what we consider to be aspects of support for authentication authorization. We had seen that as a driver, but actually this is also a requirement.
Business says we want to have dollar SaaS application to be included. So something like Salesforce, I don't know whatever you want to have that you don't want to maintain additional user identities, but just as enough of silo.
And, And, and to be, to be, to be Frank federating to Salesforce works way better than authenticating directly to Salesforce, At Least for us, way more reliable. Exactly.
So, so this, this is a, of course, an important part to start with. So support for authentication authorization for sales applications. This is really a requirement as everything is being consumed as a service.
As of now, nobody wants to create yet another CRM solution OnPrem or an HR solution OnPrem whenever they're allowed to. And we talk about compliance later, of course, as well, collaboration with partners Federation. And we've talked about that with, with regards to just having guests from, in, in teams, having shared teams rooms across organizations, this is, this is Federation.
And then that is maybe the first time that many people who are not, I am people like us get to the point to realize there is something like Federation by having invitations across organizations and people using their own credentials to look into a system that is on the site of the partner and that works. So this is really something when, where Federation comes into real life, for many who have never seen that before. Never heard of that before. We've talked about the, the operation teams over here.
So operation costs and teams, and on the other side of the, that, that coin of course, is scalability and availability around the cloud, around the globe. You don't want to, to care of that anymore, Which which on the other hand, LIOs is a, is a risk. So imagine your let's take your running your Azure ad or your, your on-prem ad controller in some way. And some of these were Ryan from the cloud to your OT environment, and connectivity gets lost for a couple of hours. Then you might have to report something to your board if the factory is standing for a while.
So that's the other side of the coin. So we also need to think about what our alternative waste here, how to deal with that. I think this is the other side of the coin.
We, we, so unfortunately even these coins have two sides. Exactly.
And, and actually I think we were quite good when we were collecting our requirements when we've been discussing, discussing in the first hour, because B2B B2C B2B two C the government and the requirements, this, these are business requirements. This is just a different type of business, but governmental organizations are doing business for their citizens, for their students, whatever that you are looking at. So these are new corporate use cases, and they need to do that at scale, if you think of, of university interoperability between across countries.
So there's, there is IDPs that are provided for more than one university across Europe. And this is a use case that needs to be well managed also with authentication authorization. So these are new business models as well. So I've put that here on the slide as well, new B2B and B2C and B2 B2C. So providing services to your customer organizations that in turn provide services to their end user customers. So Which also might maybe might a little bit, little bit another mini survey survey.
So, so who, whom of you is, is using also B2B B2B? Probably couple, because sometimes it comes trust more or less to the sort the back when you're sharing teams with others, you don't in some way probably more, more use it and, and are not a hundred percent aware of, I think the, the other question is who is up to BTC. So one part of them, which is significantly less. Yes. Yeah.
It's, that's the good enough thing again. Yeah. Where are they on the good enough scale for different use cases, Right? Yeah. Yeah. It's also interesting enough when you look at our leadership compass in the, for instance, if you go to access management score is very high. When I go to IGA, it's not for, I IGA, it's not as high when I go for consumer identity management. It's even lower. Yes. Yeah.
And so, so I think it's, it's really also, when you look at this, given that we take sort of very, very focused perspectives, there are some where we see it at that point of writing. And that's always what we need to say because we trust also heard things are developing and we know that things are developing, but at that point of writing in some areas it's course, way better than in others, Right? It is a business requirement. Although it's a compliance requirement, it's a business requirement MFA.
And that, again, again, nobody can hear the word COVID anymore, but anyway, during the COVID pandemic and we had to work from home introducing MFA, I think one of the easiest way was to move to towards Azure ad and just take the, the MFA configuration. And then you, you were there. And that really helped many organizations to introduce a new level of authentication security that really fulfilled business demands because the other case would be data loss, data, breaches documents, leaking, where they should not leak.
And, and this was really something that was a business demand. Mobile first cloud. First we've talked about that across the recent days in extensively, but of course, Azure ID is in the situation to support there as well.
And, and, and by the way, you sure are amongst that smaller share of organizations that have MFA activated ad. Sure. All all are, have, have activated the MFA, if not do it because not using MFA, as we learned from the C is declared a bad practice. Yeah.
So, so you should offer the MFA option and it's easy to turn on. It's relatively easy to roll it out to your audience.
And, and also there are different MFA, so to speak. So, so you can evolve from, from just turning it onto really good, well managed password, less conditional access, blah, blah, blah syndication, Very strong area. Yeah. Cause I mean, you can have all of these different security policies where some organizations, but if you don't implement MFA, it's basically, you're implementing a lot of security, but you're leaving the door open.
You're, you're not really, you shouldn't even feel like you are secure. You don't have MFA. Exactly. Are there any striking business demands that you fulfill with Azure ATS of today that we have not yet mentioned because I think that there is more, but these are the typical things that an Analyst comes to mind.
So, so that I, that I could find out anything else that you see where Azure ad really helps you in extending and maintaining your business. Anyone doing any IOT scenario? Just curious. We have that question still pending. Yeah.
Oh, Good point. I'll try to find it out. And hopefully I understand Well, very much on top of the list of the Questions. Right? Exactly. I Believe the IOT question Talk for 30 seconds. I'll find it. Okay.
So, I mean, we have the, you know, Germany, very industrial heavy. I just wondered if you know, any of the organizations are using Azure IOT services for next generation industry. No. Any pilots, anyone done any pilots?
No, not yet. Okay. Someone from the online audience already now and looking at that.
No, no great. No big response here so far. Let's wait. Maybe it takes a little something That you've seen already. Maybe you'll reread that question.
Yeah, I'll do just, I just throw it over to Patrick as he's the practitioner. Okay. I'll read it out once more. Is there someone to cover hopefully to deal how to deal with authentication, privileged accesses, ONT devices, and direct connection with our public ID, public user accounts enrolled in cloud government platforms or, or cloud governance platforms. Yeah. I assume it's governance. IOT devices hardly have inbuilt security, which makes a perfect target for hackers. The maturity of the IOT devices are interconnected, which compromises the security of multiple devices.
If one device get gets hacked is this is something that you have looked into it already. I'm Not, I mean, I'm not an expert on IOT, but I know Microsoft provides good individual device registration certificate based authentication, broad protocol support the MTM.
So yeah, also I'm not this really expert in IOT, so I really can't. So it looks like we don't have anyone in the room. It looks like we don't have anyone in the virtual room so far check, at least that's I don't want to pound any fingers, but we have a Microsoft person in the chat. Yeah.
But, well, the main things is, yeah, I might be a tough question even here, Right? Yeah, Yeah, yeah. Okay.
But then, then let's maybe continue and, and if someone pops up around IOT and chat, I'll pick it up. Okay, cool. Okay. So that was where the business requirements. So if there are any aren't any others, then we finally have to get to those demands for extending ad to the cloud. So it's cybersecurity really improving your cybersecurity. Usually when somebody says we're moving to the cloud, everybody says, woo. Why actually moving to the cloud can improve and extend your cybersecurity.
Especially if we think of these augmenting services around a AAD that can support in, in really improving your security posture. You know, I still stick to my what, what I've been saying for tens of years. I think I've been quoted at this, the computer or terminated leading computer magazine.
And many, many years ago, probably 20 years ago, closer to 15 years ago, I've been quoted on that, that a cloud provider usually is better in managing the services than it was for mid-size businesses and the smaller, medium size business. Yeah. And whatever the sun of the managing director can do the it. And I think we always need to be aware of the, the large providers are putting so much effort into security and their business at the end depends on not making two big mistakes here.
So that, that gives you some really some, some level of, of cybersecurity, which is not easy to achieve when you do it yourself. On the other hand, you always, and that is a big, big warning. Always be clear about tenant responsibilities and provider responsibilities. You must exactly know what the provider will do or not. So there was this, there was public.
So this, there was this fire in, in a data center of O VH cloud and, and Strasberg last year. And what, what was learned is that, so this was really was more, more, so you had your, your sort of your virtual machines running there and the vast majority of customers, I think it was way north of 80%. Didn't have a recovery plan in the contract because okay, this isn't the data center it's running secure. So if you don't have a recovery plan and you don't have your made your own bag up, then you're in trouble.
So you need to really understand this is I think the perfect example where it's, why it's so important to understand tenant and provider responsibility. If you don't say, oh, I expect that they them to do that. And they say, oh no, it's not in the contract. Exactly.
And, and then, yeah, portfolio. So then if you look, I have this first, first item on that list, integration into an overall cybersecurity framework, leveraging Azure and third party tools.
So the, the, the important part is actually the, the first part of the bracket. So it's leveraging Azure tools.
And if you go to, to Microsoft website and I'm usually not really often referring to vendor websites, there is aim and you can really just find it by Googling it, cybersecurity, reference architecture by Microsoft, which provides a good overview of, of the components that are there that can assist you in securing your overall Azure ad environment, including reporting mechanism, some kind of theme functionality that supports you there when it comes to these adaptive authentication mechanisms that are in place, risk based context based authentication, all, this is something that if you want to build that on, Preem, it's quite a task to achieve, but, but this is just there.
You just spend configure its Richard Richard on and use it. And they, they aggregate all the data from all of the tenants. So they have a lot more, you know, intelligence about risks and threats and ongoing attacks.
Yeah, exactly. And I think that this is really one of the points, you know, you can, they can gather really, really tons of data. Yeah. So to speak, probably you can even measure the weight because it's so much probably yes. Theoretically it is obviously when you turn it also for zero to one Sure. Electrons eventually.
Yes, exactly. So it makes a little difference. And by that amount of data, you probably are in the area where I can measure it. Yeah. Yeah. Okay. But to That, this, yeah. This is not an endorsement. This is just, if you make this decision, there's much more to, to, to use and which is usually included in the license that you actually pay For anyway, but he is the least suspectable for, for being Microsoft minded. I think he started this career with writing a Linux book or something like that. Yeah. Open source stuff. Yeah.
Yeah, exactly. So Really not, but, but yeah, IU, I don't know what that means in English, but, but nevertheless, so just, you need to honor those who deserve it and, and that, that is really a good way to improve your overall cybersecurity. And these are cybersecurity demands that you can easily fulfill by moving to Azure ad, as long as you really understand the full impact of what you're doing.
So we, we, we have that later on also this looking at cloud risks that come just by moving to the cloud, but once you understood it, you mitigated the risks, you get to a much better service that. Yeah.
And, and, and I think with, with all that list, I think we don't need to go through that list in every detail. Absolutely.
Again, it is understanding what you need, what your use cases are, mapping it to what is delivered, what you have as well. I think it's all in these areas when it comes to cyber security, you will have a lot of, lot of things already around. And at the end, it is understanding what you need, what your portfolio is, what delivers to these needs, you, you doing a portfolio assessment, the gap analyzes, and then understanding, can you fill it in that context or do you need something different? And there are reasons why there are other vendors out there as well.
So it is really understanding what, what is what you need. This is Speaker 17 02:14:06 Good, where if Microsoft, where people maybe that they're not Ling Or Speaker 17 02:14:14 Not yet Ling or whatever it is, something what you need to look at.
And, and then there are concepts also like sassy. So I think for sassy, the first thing is you need to, to think about what does it mean for you, because this is a, probably more a catalyst than a model or a concept. And there are elements in which, which might be good for you. So putting everything on SDWAN might be a great thing, or it might be totally nonsense. And so you need to understand also maybe for which use case this makes sense or not. So I'm not a big believer in reverting everything back to a single SDWAN and for structure. That sounds to me pretty much like 90 eighties.
So be careful on that. So we talked about MFA for bridge access management.
Again, look at what you do. Look at this, that goes into the, the key dream stuff, how this relates to, to, to new requirements of managing really resource entitlements, and in, in complex infrastructures, not only cloud, but also everything where Kubernetes or DACA runs and so on. So how do you deal with that data access governance, a really, really interesting area. So we see this Azure information protection stuff, etcetera, also around the DLP stuff. And so there, there are a couple of things. We also need to look at a tradeoffs here.
So sort of the, the unfortunate thing with after information protections, the more you protect the lower. So it's really a trade off between convenience and, and, and security here, because at the end of the day, it means, so if, if you activate information protection, you don't have joint editing of office document anymore. And so on. So it's these things you need to look at this, but there, there are a lot of things which you need to understand and where at least to a certain extent, clearly this can deliver. And this is where you need to make up your mind.
What is the right way for you for all these use cases? Then again, and, and as I said, I think putting all X into one basket gets there's something where you need to be definitely careful and conscious, Right? So we had business requirements with cybersecurity demands for extending ad to the cloud. Did we miss something? What are you missing? What haven't haven't been covered yet? Because I have two more blocks.
We would like to Martin just provided a new leadership around this, this area where active, active directory is located and to understand how we rated as analysts and I wasn't the perfect situation to, to prepare that slide deck. So I, I pulled out old block post from Martin, doing predictions on Azure ad and ad in 2000, Which is a real, pretty nasty, nasty move.
So, you know, pulling out old stuff and saying, Hey, So there it is, maybe start with that. But first of all, did we miss anything that, that is an important part because you have, I don't know, 45 minutes or so left or 40 minutes left. So really that you can take away what you really wanted to achieve here as well. So if there are any open questions, please let us know. I'll check the chat afterwards. As soon as I hand over this old block post to Martin, he, he ended with four recommendations. I've put to the left and then he can now I'm put, yeah. Yeah.
So, so, so in that case, it's, it's maybe not so nasty. I think there's nothing in where I would say, oh God, what did I right. Two years ago.
So, yeah. I still believe it's very important to carefully follow what Microsoft following what Microsoft is doing in both directions. I think from, from, can I move forward? Are things lacking? What does it mean for my future? I think it's, it's important if you have Azure idea around. So I should look at this screen, I, as I've told Matthias, sorry.
So that, that is something which, which is very important of, I think you need to work on this strategic positioning around all the various areas and think about where, where is it maybe strategic today? Where might it become strategic? Where do you build on a totally different strategy? And it's that the one or the others in it depends on what your landscape is, what you have, what you want to achieve. And this is always what you need to keep in mind, but make, make well sought out well informed, conscious decisions on that. I think discuss it, find a common position if possible.
Sometimes I, I see organizations where we, we really have two, two groups, which are really opposite and they, they don't want to come to a common agreement. Very important. We didn't touch that yet. So if so frequently on-prem ad is in the, not in the ownership of the IM department. It is in the ownership of the infrastructure department or something else because it's very closely tied to windows server, just the group policy stuff for the clients. But very clearly Azure ad must be in the ownership of the IM department. Nowhere else, full stop.
If it's still separate change the organization, you can quote me on this. Paul, where is there any, anybody in the room who says Azure ad is not in, I am not in it infrastructure, not in wherever it belongs. I wouldn't dare. But anyway, I think a phrase it in way, no one wants to raise hand right now.
No, we have these discussions with clients, which, which are in these discussions because it means you're changing organization. You're changing responsibilities. And clearly there are these discussions. I honestly, I, I have to say when, when I look at many things, you know, I've seen so many organizations which then help.
So, so to speak a shadow IM based on on-prem ad, where then a lot of stuff was managed via groups and even something might have been provisioned extra aside of the IGA tool. And I don't think that I ever seen one of these shadow IM based on, on on-prem ad implementations, which delivered to the benefit of the organization. It was trust that no one was willing to say, okay, we changed it. We changed the organization. We changed the responsibilities we move forward. But right now this is, if you say Azure ID, this is the way you go.
Then this is also the point where you must adapt the organizational structure and responsibilities as you can. You can hint your, your, your management to me. Yeah. I'm very willing to discuss this. And if it's just for regulatory reasons and for being compliant to GDPR, to, to managing data, because in the end, even if it's, even if it's employees, it's still PII.
So, and the final point here, if you're already integrating on ad revert from big on 81st to ad first, I think this is also very well at, right. Yeah. Discuss it today already. So let's go to something different. Okay. Yeah.
So, so you, you Don't pick up all the recommendations of my, honestly, I, once in a session, I refer the report. I really in 2007, right? Exactly. Yeah. Sometimes this, this, this, this stuff really, really is still current after a while. Sometimes not. Right. Okay.
So, so I also refer to that, that I, I braced enterprise role management stuff and how to build this role models in a way, which I wouldn't recommend anymore today. So, but no More could expect ID exploding in that manner. Yeah. Okay. Gave you time to reconsider.
Did we, did we miss something that you would like to see covered in that workshop? 30 minutes to go? Otherwise I would then again, lead Check here, There was not, there was nothing just before anything changed. So there's one saying they, they moved trust the ownership since 1st of January, 2021. Congratulations. Yeah.
That's, That's the way to do it. Right.
As, as we said, we talked about this reference architecture. We did not talk about the identity fabric, but having not only technology, but also processes in place. And that means ownership. That means yeah. Interoperability and defined interfaces between organizational units. This is important. Yeah. I'd say along those lines, one of the most important things is to actively and consciously decide your patterns, your practices, and make decisions. It might be Azure might not be Azure it, but for each use case, know why you're doing it and what you decided.
And it was a conscious Decision and what it means in the bigger picture. That's the other thing.
So, so also have the, the broader picture in mind, which also means in some of these decisions, you might say it would be really better to do that than that. Whichever what that, and that is. Yeah.
But, but you say, but if I take it the bigger picture, I go, maybe for the, the somewhat weaker solution, because overall it's, it's the better way, way to proceed. And this is really, so you also need to have broader identity management picture in mind. So what we, I think you skipped the identity fabric picture that we have. It's the slide deck. It's not on slide deck, but it's available in tons of publications around where we have this, this higher level of picture and a lot of reports around that, even leadership on that and stuff like that.
And I think this is really start with a, where do you want to be with identity management in the future? Where is it heading? And then look at the pieces and you have, you don't have also think this discussion. We also quite frequently have. So you say, okay, I should ideally modernize that and that, and that and that, where do you start? You can't do everything at the same pond in time. So it's about slicing the elephant and on, I don't think this is picture because when I talk too long about this picture, it always gets very bloody, so better.
Think about, you know, what is it, what you need, what is your highest priority? What is your biggest pressure and what can you achieve in a certain period? And what are the big things you shouldn't do in parallel?
So I, I, I would be always very careful in, for instance, saying I do an it migration and an access migration in parallel because both are really daunting tasks. And you might just experience that's, this is too much to do in parallel. And if your active directory is too messy, try not to replicate the mistakes of the past, If, oh yes. And sometimes also it's, it's better to, to start somewhat clean and fresh instead of trying to replicate Garbage in garbage, In garbage. Yes. Yes.
Golden rule, Maybe one thing that, where, where maybe Patrick, you are a bit biased, but this is fully fine. We just looked at Microsoft specific solutions. When we looked at the migration parts, this, this toolkit, what you can choose from, did we miss out any third party tools, third party mechanisms that can support, or even replace some of the parts that we've seen in the, in the slides that I've presented, is there other from you from other vendors, just to make sure that there are different paths that we, that we omitted. Sure.
And then there are many vendors like us that fill in the gap and help you get from on-prem to map, map in the access into the cloud world and maintain coexistence so that, you know, you can have a more seamless transition. So, Yeah.
Right, right. Okay. Okay. Kaship compass. We kind have a quick look on that.
So, so, so this is the IHA one. We need to be, be clear about it.
So, so Azure idea, as I said, we, we, we covered it in the consumer identity management. We covered in the access management. The access management definitely looks better than that one. Yeah. This is the IDAs IGA. So because we had this IGA part, and then we, as, as you probably know, we have this, this thing about leaders and challengers and followers.
And so, so Microsoft is somewhere here, but, but I also have to say Microsoft is somewhere here because this overall leadership thing is constructed by product innovation and markets leaderships and Microsoft benefits most in which area here market. Yeah.
So, so Microsoft always gets a little bit of bump from the market side here. So, so if you had trust to take product innovation, it would be a little bit more. We have them. Yeah. We have them in detail. So I don't, I think when we just quickly go through, I don't want, you can all read it all in detail. If you trust walks through, maybe that it is that we, this product product, because there are already some, some interesting things in some things coming and, and clearly, also all the things which are about scale.
And so this is what, what benefits the Microsoft innovation also net, not that, but still this room for improvement, but market, as I've said is always what bumps Microsoft up, even in the IHA space right now. So I think for IHA, that's what I said before. I think this is really what requires a very careful consideration. Very careful analyzes, where are you? What do you need?
Where's Microsoft, et cetera, because there are some things like workflows is not yet that what we would see access governance is probably also more access governance for, so how should I phrase it without being so I don't say put a poor, no, it's, it's, it's, it's not a bad one. It's it's really, if you compare it with higher level, but on the other end, you need to think about how much, or what do you really need in that, the Sierra side of the coin.
So, so if, because in some areas of, of access governance, it depends on very much which industry and how much regulations you have, but Karina told about their journey to processes and roles and other stuff that is not, not, not an easy journey. So the question also is how much do you need of that? If you're a bank, you need more, if you're another bank, you might need less.
So, so these are, these are some of the things. And I think we, it's interesting to see, and again, that's why we do this leadership composite, why the leadership coms have a lot of detail. So there's way more detail than we trust Joe here. That is where you need to take your perspectives, your requirements, your use cases, and then look at what is from a vendor perspective, what are the options? And I always recommend look at the couple of options to compare it. Always pick, pick, maybe ideally also, if you're really starting from scratch, maybe at least one more exotic or uncommon vendor.
So not, or not just four, which are somewhat similar for kind, but look at a little bit of alternatives because I've seen it so frequently than in the, what I call the beauty contest during a, a product during your tool stores, when the vendors do their presentations. And sometimes then, then the, the, the, the other ones really sort of opened the mind also of, of, of the customer saying, oh, this is an interesting approach to do it different than the others, but it might fit better to me. So really use these opportunities and tools, choice, and a little bit advertising for Casey.
There's a ton of support for tools, choice that we have starting from, from really self-service tools, stress, all of us available right now in our subscription. So go for it. Let's continue. That's that's it maybe mainly for, for, and That's because I think everyone has access to the document. Every one can read it. And as I said, multiple documents for different areas, because we go into this model segments, Right. That was the most recent one that, so that's yeah. That's we have this, this, this, and that's it.
That is the, Ah, we're sure we already back up that's why, what you wanted to stay with, right. Is that, yeah.
So, so what can we discuss in the remaining 20 minutes or so any questions from the audience? Any points you'd like to cover? Just checking here, Check the chat, right. Anything in there don't be shy.
Oh, okay. Thank you. I'm coming over. Speaker 11 02:30:55 Have a question regarding provisioning to applications. So obviously skim is one option, and we'd also discussed, there was say another option to provision into the, the on-premise, which using skim, and then converting that study ADC connections are, but one thing we are looking at to try to contain cost and simplify things is to move a lot to yet based provisioning just the Federation and then have put all the attributes into the, the IDC or the SAML ticket that you need.
And then asking the application to clean up the data, to hit GDP DPR at like quarterly. Is that something that you see in other customers as well, and what you see as advantage? And this is launch this approach. Okay. Thank you. Just in time provisioning.
Oh, So is that you're talking about Sam based just in time identity provisioning, Is that the general gist of it? We see it.
I mean, you can, it, the scope of its difficult, because it's very difficult to get applications that support that type of just in time access. Most of them are very traditional. They expect a user record in a table, in a database that's been assigned application roles in advance. Yeah. So that would be, I mean, that would be great, you know, Amazon, AWS, you can do a just in time role-based federated login, which is, you know, that's the dream, there's really nothing there, but just that, that didn't seem to spread around yet, which that would be a big benefit to everyone if it would. Yeah.
Yeah. So where possible? Yes.
But, but it's, it's not super common. Yeah. I think this entire trust and time is still very much evolving. Yeah. So we we're, I would say we see it in various areas.
We, we have this discussion worry when you trust, walks through another room, more around the privileged access management discussions and, and where we see this ephemeral certificate just in time thing, etcetera. I think the problem is ephemeral certificate starts with the terminology.
So, so if you have a terminology, which makes you think, what does it mean? It is usually not very best starting point, but it's a different discussion. Yeah.
And, and we, we, we see also this, for instance, of saying to which extent should we have a, a trust and time provisioning in, in the traditional sort of IGA space for at least certain types of entitlements. We have it in the context of Federation where, where some things are moving on. So probably next year, maybe next year in may the, I see in Bahrain, we will have some, some more things to discuss around trust in time access in the broader sense.
I, I think we probably better say trust in time, access than trust in time provisioning. So that nearly is a scene, which is, is moving up, but which is still also in the, it would be the kinder who, yeah. So that would shoes. Yeah. Yeah. So I would say I haven't seen it.
I mean, I've definitely seen it in different ways. Automatic partner provisioning of active directory accounts on first login, as long as the IDT supports that, but, and Sam based, but it's just, I haven't seen it that many times. Yeah. Further questions, further points you'd like to discuss. I've seen there, there were a little bit of other questions around, I am organization general perspective in the chat. I think that would be a opening up of a very, very big Bo box.
And, and I would dare to say, feel free really to reach out to me directly with, with questions around my perspectives on I am organization and the broader cybersecurity organization, how I am relates to, to the governance organization, all that stuff, targeting you, target operating models, all that stuff. You you've got my email mk@cocall.com. So if feel free really to drop me on email and I'll, and we can, can follow up from there. I think this is probably the better way for such relatively complex area. Some things are easy, as I've said to, to define yes. A shifted there for others.
It's, it's, it's a little different, a little, little bit more complicated. So, so maybe one thing we, we, we quickly can pick, and that is an, an interesting thing to, or interesting area to think about. I think there are two elements and the one, sorry, Matthias has been, maybe you switch it just a little bit around. Yeah.
Yeah, sure. I think there are two, two things which are, are closely related to one is to which extent that's more European question to which, which extent can and will you, and are you allowed to trust a us cloud provider even maybe while the data center runs in your region?
And that, that is something, you know, I, I don't, I don't want to, to comment on that because this is also a topic for, for very long discussions, which leads us into cloud act and many other areas, but it's also at the end, it's also a decision of an organization to say, okay, maybe I need something for, for, for high risk use cases where I say, I, I want to do it differently. So this discussion, we, we every now and then half where, where someone says, okay, we have our AAD D here and we use it for whatever, the M 365 0 365 stuff.
And we use it for whatever, going to our, whatever sales force or other services. And we come in with our windows, hello for our business. And then they say, okay, but here we have these, these really critical applications, critical, critical, and we don't want to go that route down. So I think that the first thing is there's always a good, good, it's always a good idea to have really cloud risk assessment, understanding the, the risks you have, the mitigations you have, you can use the residual risks, which remain there. It's a service material is very profound in this.
He did it probably hundreds of times, 10 dozens of he like hundreds of times, but I, 70, 80 times, yeah. He, at least he did it quite, quite a lot.
So, so that is something, yes. Do these things go through that, that, and understand what to do, which mitigating measures, et cetera. And then the question might be that you say, okay, maybe I have a separate IDP here. And the interesting question is really then at the end of the day, how do you solve that? So you say for that, I want to go that route down. So how do you deal with that? Because for a user, it means there, there are two IDPs, and sometimes you need to go down that route. Sometimes you need to go down that route makes things a little, little more complicated for a user. Yeah.
Honestly, my, my, I think if you, if you go down that route, my, my best advice I have so far, and someone has a better one would be to say, you know, there's this miraculous thing, which is passwordless authentication, password, less authentication, which then would move it to the device, authentication and trust doing the registration of the device twice. That seems to be, for me, that seems to be the, the, the easiest solution for such a scenario where you say, okay, then I leave this worlds separate. Yeah.
And I try to reduce the friction for the user to say, okay, if we have password less authentication, you go through your device, you use your face, your fingerprint, you Richard, the device once here. And once here, that's the double step you need to do. Yeah. But you do it only once. And from there on it is quite seamless. So that would be, if you end up in these scenarios, that would be the way of syncing from my perspective, if anyone has better ideas, I'm very open to it that I, I purchased about, I don't know, nine months or 12 months ago, a Fido biometric.
And, and we can do passwordless and user nameless. It makes you think about Federation differently, because if I'm always just touching this device and that's all I have to do, then yeah. You can get through scenarios like this, where the end user doesn't have any user experience challenges. They're just, they're tapping, they Don't know happening on the back end, but it's all secure basically. Yeah. Yeah.
So again, good argument for going passwordless yeah, but really password less authentication. Yeah. Yeah.
That, that is the point behind that. And the good thing is then again, it shows you have a relatively good convenience. Yes. And still have, so, so it's not, as I said yesterday, it's not about balancing yeah.
Security, convenience. It's about pushing those up. If you do password less indication. Right. I think we're done.
I, so I see some still some organization discussion and the chat said reach out to me. But if there are now further question, there's one further question. Just A sec. I think it's not only a, it's not a question. It's more a statement. So what you propose here to say, to have another identity provider have, let's say critical application access. If you do a serious cloud assessment or cloud risk assessment, that's the only way you can go because you have still a lot of data. So the crown jewels have to be protected and you have to go that way. Anyhow. Yeah.
I, I think you, yes. Full Stop. I wouldn't, wouldn't enter into a disagreement discussion here. Let's phrase like that. Right.
But, but it's, it's also a question of risk appetite at the end of the day, right? It's a cloud risk assessment, but also your risk assessment, understanding your actual, what are your crowning? It all goes down. What do you need to do? Which are your use cases, your requirements, what are your risk AATE evaluated really roughly make conscious decisions. I hope that we could give you some, some ideas, some sort, some, some food for sort and background on, on making your own decisions. So I hope this was valuable this morning for you in the room for the ones attending online.
And thank you, Patrick. Thank you, Matthias. Thank you to all for joining this workshop and joining ESC. Thank you for the ones who are here on site, have a safe back for the others stay well.