KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Hi, David. Hi, sweet Richard. Hi Martin. How are you doing so at least from David, I was not able to hear anything.
Sweet, sweet Richard Martin. Can you say hello to me?
Hello, Microsoft. Perfect. So this works perfect. So maybe we start with Martin Martin, three words about you and your role with co a call I'm founder and principal Analyst at co and call.
So the, the father of co a call that's right. Sweet.
Richard, what about you? Yeah, I'm a chief strategy office at axiomatic and we are a company based outta Stockholm. We do based access control, authorization management. Perfect. David. Yeah. So I'm a cybersecurity veteran. I would say I'm currently working as I am manager at B PBA. And in parallel to this, I run an nonprofit initiative to join forces among IM professionals and create useful content. Yes. And we already heard a very interesting presentation about your approach here. Okay. So let's start with our interesting panel today.
What in your experience are the most important security pitfalls to avoid in implementing access management solutions? Research? Sweet shit. Sorry. Very complex name. No worries. I practiced it really often, but Yeah, I, I, I, yeah, I, I think there are two important things to remember when you tell access management. The first one is the fact that working in silos is always, always the biggest problem we have seen within our customers. And when we talk to our client base, as well as we all know, security is a cross cutting concerns.
When you have an enterprise and authorization and access management is core among the security principles. So if you have teams working with just their own problem or problem, which is related to that specific problem that they have within their team, either compliance side or application side, they end up with application solutions or compliance solutions, which doesn't work across board and which doesn't provide a good security access management system. So that's one of the primary problem. I've seen a similar one.
If I can may add is the, the tendency to simplify the problem beyond a point where it loses the nature of how do you wanna solve it, right? Because you authorization and access management is a complex problem and it does need to be simplified. But if you go beyond a point of simplification, your solution will not get to the point where you need to get to, to pass must. So you need to strike that balance and to avoid that problem of over simplification as well. I think those are the two big ones I can think of. Great.
Thank you, David. Your thoughts about the biggest peak fault pitfall here?
Yeah, I, I, I think my, my main difficulty is to create business meaning in what we do. I fully agree with what Shi said, but we need to make that question to the, to, to the, to, to, to the business on whether they want to validate and access or to not validate that access or when they're reviewing it, whether they will approve it or not. And so on and so forth. And when asking these questions to business, the, the, the, the it system is so complex that we tend to ask people, well, do you approve right XYZ dash 3, 9, 0 point X and people have absolutely no idea what that means.
They lose the complete understanding of what they are doing and why they are doing it. And I, I think this is really the big issue, and it is dangerous from a security perspective, because if the decisions that you take are meaningless in terms of access management, then you are just not managing accesses. And so you need to ensure that all your system of records is meaningful for those who have the legitimacy to take appropriate business decisions. And this is extremely hard to reach. Definitely, definitely.
Martin, your thoughts about that? Yeah. And curious, the last thing you said, David, in some way, because I believe it's very simple to reach Great Because at the end, I think it goes back to what I said, my keynote about policies. So everyone is able to formulate policies in natural language. These people are allowed to do that under these constraints are not allowed to do that under these constraints. And that is the business language. That is what we, what we need to have. That's where we need to start in natural language. And from there we can arrive all other things.
And I think not thinking enough about policies, not being, thinking about policy natural language as a starting point, this is probably the biggest pitfall. I touched a little, when I go back from sort of the runtime access management to the deploy time access management, to static entitlements, we always try to create roles. And then we start thinking about what should be the role speed. But if we write down the policies, we will end up with clusters of subjects, which have similar entitlements that are our roles, and people can describe business policies.
You can explain it in five seconds or 10 or 15 to everyone. And they will come up with the policies. When you say, oh, we need to do this role stuff. You spend hours in explanation front. And I think this is one big pitfall, the second pit big pitfall from my perspective. But by the way, the first pitfall goes back to what you said, making it too complex, going away from a business perspective. This is same pitfall. I would see here. The second problem is not syncing in zero. Trust enough.
So we still, we still see that people believe if there's a username password oration, we can rely on that, which is nonsense. Username. Password is not sufficient anymore. We need multifactor adaptive authentication based on risks based on context and not doing so and still believing you can rely on a single, simple, easy to fish approach.
That is, I think the second pitfall, and we must go away from username password. This is our last dresser, but not a standard solution. Absolutely. Right. And Martin already started to mention a little bit how to do it, right? So maybe this is a question towards to you. What is the best approach to moving towards a secure access management ecosystem in general, Richard?
Yeah, I think it boils down to, I think, two things that Martin, you mentioned in your previous answer as well, you need to understand from a business point of view, what you're trying to do, right. How, how do you express it in policies? How do you think about it in solving problems? So understand capture the drivers and requirements and that's from multiple state holders across the business, and then express that in a way that is understandable to those people.
And of course you need to then move to a technological driven enforcement implementation and so on, but do that in a phased approach. And then also make sure that you have solutions that help you manage that complexity. But at the same time, those solutions should also be flexible to fit into the ecosystem that you have or the processes that you have because the worst situation you would have is this a tooling or the solution that you buy off the shelf or build which doesn't fit in with your culture of the company or with a system that you work with in that environment.
And the third one I would suggest is also then to start with a simple requirement, onboard a simple application, and then increase the complexity as you gain your understanding of what it looks like for you, how do you implement and so on. So start with that maturity, which is simple enough, complexity can come and optimizations can come later, but start with that one single journey and see how it goes and then proceed further.
Martin, you look like you want to add something? I can add something. Yes. So first I think I brought up one point, which is about how to make it better. And this is a really this natural language policies and work app, probably this is, this is one of the things. The other thing is I think we related to what just said, which is about on one hand, having a plan on the other hand, slicing the elephant you need to do to both things. And this plan needs to be large enough. It needs not to be a silo plan. It needs to be the big plan.
By the way, I always hear, oh, we have so much time pressure that will hinder us at being ready on time. The only thing which hinders to, to be ready on time is not having a plan. So if you don't plan, you will fail. If you plan, you will succeed. It's very simple. And so make a plan, understand it. I brought up this picture of an identity fabric in my keynote, and this is the starting point. And then you need to understand, this is my, my program. These are the projects and that's how I proceed. And then I do. And like what said, I, I do it stepwise.
I, I, I learn, I do my first experiences. I make done whatever patterns of, of applications onboard. I repeat and repeat and improve.
David, your thoughts about how to improve or how to start with your real good access management ecosystem. Yeah.
So I, I couldn't agree more with my, what my predecessors said. If I wish to complement this, perhaps I would mention that first of course, the alignment of your plan with stop management is the key. So you need to understand whom your sponsor are. If you are doing IM or access management for the sake of access management, because you have an idea of what should be there, then you are probably wrong. This really needs to be a discussion with your top management and you need to have the right sponsors in the, in the conversation. Once you have that, then you can derive your plan.
You can set your priorities and you can demonstrate success. And if you do demonstrate success, then you, you enter into this PDCA cycle that, that will allow you to move forward with new initiatives, get the budget and so on and so forth. Definitely. Yeah.
And, and, and that, that's an interesting point. You bring up with what you said. So the stakeholder part is super central. The requirements part is super central, all all around that, but you also need to measure and you to demonstrate success.
And, and one typically failure by the way, is that people start measuring too late. You need to measure before you start, because then you have the baseline to compare with only then you can demonstrate hopefully your success. Definitely, definitely you need something like small quality milestones or whatever. When you start such a project and show your senior, senior management, and also your key users of your results, your success stories, that's very important. And the reason why a project also fail here, next question, what's next in the store for access management.
So we are an Analyst company. We are talking about trends, future development, and things like that.
David, your thoughts about that. So let me look at my crystal ball and tell you what the future will look like.
So, well, of course, I, I, I think it has been saved before in, in the previous talk. Passwordless authentic is a very big thing because in terms, not only will it bring a better user experience for our populations that are sometimes sick of authentication mechanism, but also it will bring increased security. So if well done, of course. So I think this is one of the big thing that is just there already.
And then, well, we have had this movement, self identities, which are rename decentralized identities, which is, I think really the best, big, next big move in the market because this will change profoundly the roles of a number of incumbent market players. And it will take probably a few years to, to establish itself, but there are already very strong initiatives in place. And this is an extremely interesting evolution of I am. Yes. Sweet Richard, your thoughts. Yeah.
I think the main thing I see as a big drive, that's gonna happen the next couple of years to come, is this push towards zero trust? I know it's the old mantra and the old concept. There is nothing radically new about it, but I think people are realizing that first of all, zero trust as a concept makes sense in the new cyber of security.
Well, we find then, but more importantly for access management, people are realizing that authorized search and access management is core and central to the whole process process, right? I mean, anything to do with zero trust changes around access management on author research and time. Correct. So there is gonna be a big push for that.
The, the, the importance given to authorization is gonna increase because of that as well. And what the other part I'm seeing is that there is a maturity that we are seeing in customers. Now that maturity in understanding what is authorization, what do you need will be translated to things like dynamic authorization?
How do you get things in context and understand the dynamic nature to before you make a decision around authorization, and that will help drive not just the complexity of solutions at the company and enterprises can work with, but it'll also help drive like the baseline of what compliance people want. The auditors want the, the data security officers want. So authorization and access management will be core and central to all of that maturity that enterprise will see in the next years to come Great answer Martin what's in the store for access management.
I think a lot has said decentralized entities were important past or less authentication, very important, zero trust, putting it into the context. Very important. Zero trust is, is really a even while it's not new, but in the way we see today, well beyond the networks, it's super central concept for everything around cyber security policies going beyond authentication into authorization, super relevant. And I think this also brings in then this point of trust in time access.
So I see that the shift away from, from static, from standing privilege, some static entitlements, because yes, they are relatively easy to understand. Look at them.
You see, oh, this is lot. This is lot. This is lot. At least it looks a little bit like that.
I'm, I'm an old active directory or windows server guy. And when you look at file server entitlements and the inherit terms of entitlements also for, for network in earlier days, it's not as easy as it might look. So sometimes it doesn't gets super, super complex, but the problem is that they are always a danger of being outdated.
If you do a trust in time, and if you look at our agile environments, the, the agile way we do it, the volatility we have then getting better and trusted time is a logical consequence for trust and time provisioning for trust and time access, for instance, in privileged access management, etcetera. And then again, then goes back to what Ji cetera, which is about it's Christopher.
You know, I always can't say this name perfectly well, then Christopher Irritated 10 times before. And, and so the point is it goes back to policies. It goes back to dynamic access. It goes to, to runtime access control. This is a big se you know, when I look at an Analyst Analyst that what is happening in the market and when I see where money is flowing, and these clearly are the areas of access management, where I see the biggest innovation, Great answer.
So we heard about passwordless we heard about zero trust SASSI risk based approaches policies just in time access, but what is the first thing an organization should start to date with? And one short, final answer from each of you, please, David.
Oops, that's tough. This is so unique to every organization, but well, clarify your IM priorities based on top management strategy or aligned priorities. Great. Sweet Richard. Get your requirements. Correct. Implement rinse. Repeat Martin, If you don't have it implement MFA, if you already have it just very, got emotional, make a plan. Great. So thank you very much.
David, Richard and Martin for this really great panel discussion. Thank you very much and have a good day.
