KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Samuel Devasahayam will discuss the past decade of identity sights through Microsoft’s lens, demonstrating that security in a digital age remains valuable, and detailing what these insights imply for the next decade to continue building customer trust and resilient infrastructures.
Samuel Devasahayam will discuss the past decade of identity sights through Microsoft’s lens, demonstrating that security in a digital age remains valuable, and detailing what these insights imply for the next decade to continue building customer trust and resilient infrastructures.
All right. I need my perfect.
Hey folks, my name is Sam. I actually joined Microsoft in 1998. I started working on multi-master replication and active directory in the first Windows server, 2000 active directory out there. I've been an identity since then across a wide range of products today. Now I actually manage our, broadly our authentication and device platform team within identity and network access in Microsoft today.
Now, for today's keynote, I did not want to talk about anything specific to technology. Alright? We've been in identity for a long time. We've been focused on the enterprise world. We moved to the cloud side of the world, and I just thought I'd kind of use this occasion to talk a little bit about what have we learned, what do we see happening now? Where is our thinking about moving to the future? All right?
Like, it's not every aspect, it's not deep technology, all right? And some of these, I've actually seen some of the, like, the sessions, they're all very related at the end of the day, but a lot of it is about really the context, all right?
Like, and for us, customers are really our context in terms of really taking abstract problems or, and, and really making it real, all right? From the context of a problem of a customer.
So my God, better get my clicker. So I wanted to take our first viewpoint to say, Hey, what have we really learned a little bit in the past? All right?
And, and, and some of this is pretty obvious, all right? Like this has been the reality for the last decade or so, but I wanted to kind of like point out a couple of things that really kind of makes sense. All right?
For us, we, we are seeing an explosion on how people do business. All right? People like the pandemic response, just take that as an example. It's just changed the shift of how people do work, all right? And so for us, it's kind of been important for us to recognize some of those and we've been adapting and reacting to that all the while along.
Now, the other thing that I really wanted to point out is identity actually is useless without necessarily focusing on applications at the end of the day, alright? It's about allowing users to talk to applications or allowing applications to talk into applications. So we've seen this huge shift in terms of how applications get built, and as a result, we've seen standards change. We see APIs change, we see vendors bringing API frameworks as well into an application environment. And our job is really to, Hey, how do we evolve with how applications are built, the environment?
And how do do we go and secure them so that users and application can securely access these? The final thing for me that is worth calling out is that we're seeing an explosion of signal. All right? It is really, there's so many different environments that we see, you know, in terms of identity data actually kind of being scattered across the real estate of an organization and how do they make sense of that? So these are like some key trends for us.
Then obviously, alright, it's been a crazy last decade in terms of the evolution of security threats for us, and we've had to keep abreast of these in different ways. All right? And so for us, it was always about how do we go support and secure our customers at the end of the day for doing that? And it's not been easy, all right? Solar Gate especially was a really big eyeopener for us. All right?
And, and so how do we essentially continue to kind of like help our customers today? So this has been like the last few years, the few things that I can't even talk about. But at the end of the day, the types of threats that we are seeing have just advanced so vastly. And it is important for us to help secure our customer real estate by really being abreast by really kind of keeping, you know, in tune with some of these innovations that we are seeing from our, from security threat actors.
Now, a few things for us is really that I think it's also worth calling out that we are also seeing a huge difference in terms of how we think about, we use the term workload identities, all right? We are getting more and more where applications are really becoming more microservice architectures deployed in clusters, in different types of environments. And they all require communication, you know, and secure communication as well. So this is another key change that we are seeing, and we've been evolving to that.
The second is that while the network perimeter is devolving in some ways, especially with the pandemic response, all right, still network access security is important, all right? We, we continue to see that and, and we have to kind of make sure both identity and network access solutions work well hand in hand. Another key change for us in terms of our observations is really the expanse, multi-cloud environments. We see most of our large customers all have multi-cloud environments.
They have an Azure environment, they have an AWS environment, they have a GCP environment, they have private data centers as well. So it is important for us to really think about how do you manage access, you know, across these, because right now the challenge has really been that the permissions are that's been granted are necessarily not secure by default. And as a result, we see certain types of threats associated with that and, and, and being exploited as well in certain cases.
And, and as you can see out here, we are like, you know, there's a huge gap between what's being granted versus what is really required. Customers finding it difficult to go think about this in a multi environment world, right? So for example, an AWS Im environment is very different from an Azure Im environment, which is different from a GCP Im environment. So if we really put ourselves like in the shoes of customers, that is a challenge for customers as well to say, Hey, how do I bring this all together?
I'm sure you've seen a bunch of folks also talking about this in terms of like, how do I do permissions management in a multi-cloud environment Now that kind of like are some of the key trends or things that we notice. Of course there's a lot of the basics that are happening, which is the move to the cloud in terms of moving to services.
Now, in terms of where we are right now, I think for us it's really about how do we meet customers where they are at? And not every customer is the same.
Yes, we try to provide prescriptive guidance as best as possible based on our knowledge of customers and kind of help out. But at the same point in time, we are very cognizant that at the end of the day, we want to make sure that we can meet customers where they are at as much as we can. To do that for us is, I'm sure you've heard this terminology a lot in this, in this session, alright? We call it trust fabric for us.
I've, I'm sure I, I heard the terminology irony fabric, but it's, it's really about trust for us. Because at the end of the day, the heart of what we do is connecting users and applications to resources. And we have to do that in a secure way. We have to do that in a seamless way for, especially for our end users, alright? And we have to find ways to connect all of these seamlessly through standards.
So, so we always use this as our construct in terms of how we think about building the next generation of solutions. What are we telling our customers to actually go to Now a heart of what we, my apologies, I I do have a, a little bit of a sore throat.
So, but a heart of how we think about this is really our notion of zero trust approach, all right? And, and, and a crucial part of this is that it's a constant evaluation and a remediation experience, all right?
And, and you wanna do this in as much of a self-service manner as possible so that that is compliant for whatever your an organization needs. So that's the function of what we do.
Now, one of the nice things about working for Microsoft is that we have a lot of these pieces that we can connect together to provide a better integrated solution. But the, the, the concept still is the same. Alright? At the end of the day, you still need a great endpoint management solution. You need a great risk detection solution, you need a great I am solution. All of these have to interact well for you to actually have the right secure experience that you're kind of really looking for.
Now, the other kind of key thing is that clearly for us, specifically at Microsoft, the last decade has been and continues, in which as customers are moving to the cloud, alright? They're adopting more and more of cloud-centric.
I, by the way, it is more and more, it's not fully at cloud-centric. Im yet, all right? Most of our organizations are getting more, the, that we work with are getting more into a hybrid world of having a cloud-centric Im solution along with their existing IM solution that they have today.
Now, one of the key things in terms of the drivers for them has really been security because like I, one of my Twitter handle is actually Mr. Adfs, alright?
I, I drive IDFs, but I, at this point in time, I'm asking our customers to say, Hey, move away because the cloud security is a way better model for us to protect you rather than you relying entirely on your own infrastructure to go do that, especially at scale. So security has really been the key kind of driver that we are seeing more, more of our customers take a, be more cloud-centric approach.
Of course, it, it enhances productivity as well. All right? Now I really wanted to focus on three key areas. Where do we think the next decade is in terms of where you would expect us to really be thinking through?
All right, I'm not, I'm not prescribing to any solution here today, all right? It's just more of a directionality of saying these are the areas that we will definitely be focused on from a Microsoft standpoint because our customers are really asking us now, the first is really about what is next generation of security protection, alright? How can we use AI to impact, alright? And keep abreast of security threats that we constantly see evolving, right?
This is a huge area because the attacks are getting more and more advanced and we have to be in real time or near real time in terms of our ability to detect. And this is where we think that the next generation of protection is gonna be AI based. There's a lot of machine learning in there with mixed in with AI a little bit, but really kind of getting better at this because, and, and, and so, so our focus is going to be there, and one part of this focus is also about how do we think about signals sharing, all right?
We have a lot of, like, we are a fairly big organization and with a lot of customers, but at the end of the day, there's signals everywhere. How do we do signal sharing? How do we essentially kind of like, because you can't have a single data repository, so what do you think about how do we go to that and make the lives of our customers a little simpler? So that is kind of definitely going to be one area of thought process for us in terms of doing that.
The next area that you will definitely see us is, and you've seen this from a few other folks as well, is really how do we take the, the next generation of identity that is putting users more in charge of their own identities? How do we evolve identities?
And, and Nick was just talking about another context from a consumer standpoint a little earlier, but at the end of the day, how do we essentially ensure that we can build applications where we put users more in control? And now this, this does require, alright, a a thought process for developers as well because we need to kind of ensure that we can help developers build these applications adequately as well. So this is a, a another key area for us of thinking about this.
Now, one of the challenges here is that how do we make this real for customers? Because this is very disruptive in nature. So how do we essentially find ways to integrate this into a customer's real world problem and make that a reality for them?
And, and that's kind of like our approach in this space, but, but putting users more in charge, in a more privacy conscious manner is good for everyone at the end of the day. Alright?
And so, so that's kind of a, a core area that we will be focusing on in terms of, you know, how we go to this. Now, as I mentioned, multi-cloud is growing, it's just the reality that we just have to understand. It's not a, we're not gonna have a, you know, a, a single vendor environment for most of our larger organizations. So and so we are really focused on saying, Hey, how do we think about managing permissions in a sane way?
Alright, that makes it easy for admins to essentially understand their real estate across multiple clouds. We wanna make sure that you have the ability to like, you know, we call it a single pane of glass or a control plane at the end of the day. But the simple answer here is that customers just need to find it easy to kind of manage this. They need to find it easy to provision, they need to find it easy to essentially be secure by default. They need to find it easy to say, Hey, if something is messed up, how can the system tell me that something is messed up?
So, so this is essentially definitely gonna be something that we will definitely be focused on and, and our things is that we believe that kind of using historical viewpoints is important, alright? In terms of being able to drive the right set of outcomes. This way we have the ability to think about anomalous behaviors as well in, in the appropriate way. And of course clearly just in time, alright?
Like we, we, we, we think it's more than just for privileged identity management, alright? We think it is just in time access for pretty much as much areas that we have as possible, as long as we can do it in a self-service manner. And finally, it's really about the monitoring angle that I talked about. Because permissions are constantly going to change.
There are things that are gonna change there, but you as an organization really want to kind of be able to use this, how do I say, detect things very quickly, adapt things, even automate the ability for you to kind of fix your configuration management. Finally, I think this is, this is just a reality.
I think we've, at Microsoft, we are strong believers in saying all of this is great, but at the end of the day, we have to have the ability to have standards across these, for us to be doing that we are active participants in our standards organizations and varying standards organizations, but it's just not Microsoft. It, it is all vendors working with a standards body to really make this a reality. Because without that, we, Microsoft can build something, but at the end of the day, if it can't talk to another system, then essentially it becomes challenging across our entire real estate.
So I'm gonna pause. Thank you so much. Really appreciate giving the time, giving me the time to talk about a little bit about what we are doing. I can take a couple of questions if we have time.
Yeah, Yeah, absolutely. Thanks very much indeed. And don't forget to the audience here in Berlin and to all of those who are joining us online, you can submit your questions to our speakers via the app and that's where you can make your participation more meaningful. First one we have here is what is the most important lesson about identity from the past decade that we need to learn from and apply today and into the rest of the 21st century?
That's, that's like a hundred things that I probably could talk about, but I think for us, the reality is that cloud driven security is better than on-premises security at this point in time. So if at all that, that's one message that I would say, Hey, we've learnt this from multiple security incidents at this point in time, that's what I would convict.
Oh, that's, that's very interesting. Cause I mean, I think still people are more cloud security.
The never, the, never the twain shall mix and people are still a bit reluctant. Okay, so the next question here is when it comes to building trust and just as importantly retaining trust, what are the most important things organizations should keep in mind in terms of best practices? I think some of this is really the basics.
All right, at the end of the day, technology offers a set of choices, all right? But a good governance capability or or or process management capability is required for you to essentially establish a right level of trust in that end users have with technology, people have with technology at the end of the day. So I think it is really about like the right governance pro process Because this is quite interesting over the past couple of days I've been hearing this back to the basics and and so on. And we also heard the idea that governance is now, you know, way becoming a liability itself.
So how do you make sure that that, that the governance itself doesn't get in the way? Like, like I mentioned my, one of my last slide, alright, which is the challenge here is that we don't make it easy alright? For people to consume it at the end of the day.
And, and the more we work towards in a standards oriented way to make it easy for people to consume, make it easy for people to detect anomalies, make it easy for AutoFi anomalies, alright, is what we need. But you still need a process, initial process to essentially drive that. And this is what we always ask our customers to kind of think in terms of, hey, understand what your plan is here in terms of your requirements. That's great, thanks very much. Let's hear it again for Samuel. Thank.
