Welcome to the KuppingerCole Analyst chat. I'm your host. My name is Matthias Reinwarth, I'm the director of the Practice Identity and Access Management here at KuppingerCole Analysts. My guest today is Nitish Deshpande. He is a Research Analyst with KuppingerCole. Hi, Nitish, good to have you.
Hi Matthias, I'm glad to be here. And it's been a while since the last podcast, so looking forward to this one.
Absolutely. It's been a while, but you've been busy. You've been busy writing research and as you are working in the area of IGA, identity governance and administration, this is of course very close to me. On the one hand, being the director of the practice IAM. This is of course, an important topic for us when it comes to compliance, to governance, to organizations doing things right and being able to prove that. And on the other hand, I'm the head of advisory. So I see where organizations currently are struggling when it comes to properly using and implementing and designing IGA solutions. And one aspect that I see is really the topic of access governance, and you've been working on that. Why is this such an important aspect when we are talking about access, governance?
Yes, exactly. As I mentioned, access going is very important. There is an increased demand for Access Governance-only products in the market, especially from organizations that already have identity provisioning in the place, but no dedicated access governance tool. And one of the reasons that we have seen is that organizations are struggling with visibility. Access governance solves this issue. it provides answers to who has access to what, who has accessed what and why, and was granted this access. So access governance really provides the necessary tools for answering these questions and also around managing workflows, access entitlements, run reports, also things like access certification campaigns and SOD checks. So it's becoming very important for organizations to have a good, strong, dedicated access governance tool in place.
From my experience, what I've seen is that this started out in organizations which usually are highly regulated, so financial organizations, which always had to make sure that they provide evidence that they are handling their identities and their access well. But this has changed. This has expanded to other areas, other industries, as well. Is that something that you see as
Yes, absolutely. So, the access governance market, from what we are seeing is, it's already growing and maturing, but it continues to evolve. And as you mentioned, it's quite prominent in the finance and banking sector, but we have seen it outgrow in two different sectors because organizations of all sectors currently are striving to gain visibility. So we are seeing this in retail, banking, finance, then government industry as well. There, it's quite important to govern the access of identities and uses. So we have definitely seen this growth in different sectors of industries.
And when people think of access governance, they are usually shying away from what they think is the most important stuff, which is recertification. So at the end of the year, these large recertification complaints, long lists which need to be checked and ticked off and access removed. But if you look at the full market, at the full capabilities, what are the capabilities across access governance, which address these issues to gain insight into who has access to what and why?
Yes, it's a big it's much bigger picture. So definitely it has components about access, certifications, but there's also about collecting current and previous access information from different system of all the users. Then you need to have a responsible person who provides access certifications and checks the current status of access controls. Then also the thing about access analytics and intelligence is also on the rise. Access analytical capabilities to facilitate organizations and help them understand the current status of access controls using automation and machine learning and AI, is also a trend which we have observed, which is picking up in the market. And then you also have risk based access management. access is assigned to the users based on the risk score and also providing interfaces to request access to specific information. for systems, including workflow policy organization. So it's a much bigger picture than just access governance. You also have policies which need to be right in place. So while working on this I found many more things which align with IGA, but also are more specialized when it comes to just access governance.
Right. With the usage of of identities across whole enterprises really growing and getting more important and more identities and more access and more applications, many organizations are asking for automation, for supportive systems who help them in achieving access governance, or for implementing access governance. With technology, you've mentioned briefly machine learning and you've mentioned analytics. Is this also something that the vendors are looking into supporting larger organizations in getting better, more efficient, having support even through machine learning?
Yes, definitely. Automation is a key trend which we observe, which is on the rise. And one of the main reasons is that it reduces workload, a burden on the ID stuff and this helps to reduce the cost and time. And that way administrators can focus more on, let’s say, for example, the low risk access request can be automated, and that way now the administrators can save time and focus more on high risk access requests and provide more insights into that. So automation is definitely helping and I think it's continuing to evolve. And we will see more and more machine learning based workflows coming in and AI also of supporting the sector.
Great. If you look at the market, actually, so the tools, the vendors, when I'm looking for access governance where will I find these, are these the traditional IGA vendors and this is built into their IGA offerings in their services, be it as a service, or be it on-premises, or are there also specific access governance tools that augment to complement existing IAM solutions?
Definitely. The traditional IGA players are definitely the ones that you should look forward to for specific access governance capabilities. But there are also specialized access governance vendors in the market who are providing all the necessary tools but on a more specialized level. So they might not have certain capabilities around identity lifecycle management because we don't need them in access governance. But yeah, so it's a combination of both kind of vendors which are currently present in the market.
Right. When it comes to integration, I think when you say they are augmenting existing systems, there also needs to be a proper way of integrating. So I assume the move forward or the way how to move forward is API, secure APIs for integration. So interoperability is key as well?
Interoperability, yes definitely. Interoperability is definitely the key when it comes to... with regards to one of the common adoption factors that we have observed is fulfillment through identity provisioning is achieved by a managed service. And access governance is run within organizations to retain absolute control over the governance functions. It's definitely interconnected between running access governance by organizations and also in some cases as a managed service. So that is definitely a possibility of having good interoperability.
Right. So, as I said, you have conducted extensive research in that area and that led to a Leadership Compass. So you just published the Leadership Compass Access Governance, it is out there. So the market is evolving. So it is really highly recommended for the audience to catch up with what changed. So what are some of the most recent changes that you would highlight when it comes to that market?
So this Access Governance Leadership Compass, it follows our already published IGA Leadership Compass. And in this specific one, we focused mainly on those vendors that we evaluated only the access governance capabilities. So in this specific Leadership Compass, we have evaluated 25 vendors and access governance is essential to business from a strategic point of view to ensure overall IT security and security compliance. And the level of identity access and risk intelligence has become a key differentiator between access governance product solutions. So we evaluated products of vendors of all sizes who are also supporting customers of all sizes.
Okay, great. So I highly recommend the audience who is interested in catching up with what has changed, especially the regulated ones, or those who just want to make sure that they are doing things properly, that they head over to our website kuppingercole.com and go to the research section and look out for your name, Nitish, or for just the Leadership Compass Access Governance and learn more about the market and try to identify the right tooling for themselves and how to improve, how to get better in terms of improving their identity fabric and building new blocks into their reference architecture that they use for their IGA purposes. Thank you very much Nitish, for telling me so much interesting insights into the market of access governance, being a subsector of IGA, but more. So, thank you very much for your time.
Thank you for having me on this podcast. Thank you so much.
Thank you very much and we'll be having you soon again. Won't wait that long again, thanks and bye bye.
Thank you, bye.
