Welcome to our KuppingerCole Analysts webinar, "Higher Education CIO Virtual Summit: Driving IT Efficiency With Automation of Student Matriculation and Access Governance". This webinar is supported by Pathlock and the speakers today are Greg Wendt, who is Executive Director of Security Solutions at Pathlock, and me, Martin Kuppinger, I am Principal Analyst at KuppingerCole Analysts. Before we start with our webinar, a little bit of housekeeping.
So, you don't need to care for audio, we are controlling audio, you're muted centrally. We will run two polls during the webinar, one right after this slide and one at the end of my part of the presentation.
Hopefully, you'll participate in these polls, the more results we have, the more interesting it is, and if time allows, we will bring up the poll results during the Q&A session. There will be a Q&A session by the end of the webinar. Please enter questions at any time they come to your mind. The more questions we have, the more comments, the better it is. At the right-hand side of your screen, you will find a Q&A area as well as the poll area.
So, looking forward to receiving your polls so that Greg and me can respond to them, your questions, so that we can respond to them. Then recording and slides, we are recording the webinar and we will provide a slide to you right after the webinar, usually the day after. Before we look at the agenda and dive into the details, I want to start with the first poll. And we're talking also today about identities, in this case of students and others. We're talking about access management, we're talking about IAM in a very specific use case. And we see a lot of projects stalling and failing.
And so, if you already have been involved in IAM projects and may have faced some trouble in these projects, the question we have to you is, what do you see as the main of these four reasons for IAM projects stalling or failing? So, is it usually budget? Is it a stakeholder management aspect? Is it a lack of understanding of risk and regulations or a lack of skilled resources? There might be more options, but we picked up these four out of many.
So, we'll leave this poll open for a while so that you can respond to it. As I've said, you'll find it on the right-hand side of the webinar tool, the option for polls.
So, please provide your perspectives here. For the agenda, I will look at this topic a bit more from a generic perspective and put this into the context of other IAM use cases.
So, to my perspective, what we're talking about is one of the IAM use cases that is a bit underestimated in terms of challenges. So, there are some things in higher education that are more complex to handle than, for instance, that sometimes other IAM use cases are.
So, this is something we need to be aware of. We'll have a look at what does it mean, what we should keep in mind. In the second part, Greg will talk about enabling IAM in higher education, automation and streamline reviews. In the third part, we'll do our Q&A session.
So, with that, let's start. I want to start with a picture I brought up and probably some of you have seen before, which is the Identity Fabric. It's a concept we released the first time about six or seven years ago. I think early January, mid-January, there will be a webinar where we will release the 2025 version of the Identity Fabric with a number of updates and extensions for this framework. But when we look at this framework, then we have an approach which looks at basically what identity management needs to do.
What identity management needs to do is providing seamless yet secure and well-governed access for everyone and everything to every service. That requires a certain set of capabilities which are put into services, which are supported by tools for different types of applications, be it digital services, be it SaaS applications or legacy applications. In that picture, we have the human identities.
So, we have typically what we in our sort of standard version look at. We look at workforce, we look at partners, customers, and consumers. When we look at the higher education use case, then the question obviously is, what about students? What about alumnus?
So, do they count to one of these groups? Are they a specific group?
And so, first, we have also in, for instance, enterprise identity management, we have more than these four groups in certain scenarios. So, we know a lot of organizations which, for instance, have their workforce, so their employees in this case. Workforce also could contain contractors, could also handle the contractors as part of partners just to be defined. But the workforce, then they also say we have the retired people from our workforce because they're, for instance, still allowed to shop in our own shops with specific discounts.
And so, we have other types of groups of identities and people also in other scenarios. But for higher education, we have the staff, we have students, we have alumnus, and some in between external professors, et cetera, coming in for a certain while. And a lot of, I would say, quite interesting use cases. And I can remember some of them even while my time in higher education is quite some time ago. And the IT world was a bit different back in the days, but at the end of the day, challenges were that fundamentally different.
So, the higher education IAM challenges that we have high turnover, we have complex relationships, we have to meet for speed, and we have regulatory compliance to deal with. And when I look at this, so I am for higher education, then we need efficiency to deal with the high turnover.
So, new students come in, students are leaving, they're changing university, they are, which makes it even more complex, maybe away for a while, or coming only for a couple of months because they are from another university, for instance, going from Germany to the US, et cetera, for a year or so. So, we have a high turnover and we need to have an identity management that is very efficient in handling that because we have to peak times. Multiple times a year, there's a peak of people coming in, people going, and that must be handled well. We have now more and more a need for digital natives.
So, the students of today, they are digital natives, they demand a strong user experience that fits to them. And with sometimes, not everywhere, not for every institution, but sometimes also sort of a fierce competition between different universities, et cetera, we also see the need that, or must understand that this is part of the differentiation. We have changes like students turning into alumnus or students doing their PhD, becoming a professor, and retire, even longer journey here.
So, we have changes in the role there, and we need to understand this, we need to also understand relationships here. We have to regulatory compliance with various regulations being relevant to higher education.
So, we need to serve this. We have always a constant pressure and cost. We have a skills gap usually.
So, at the end of the day, there are nowhere sufficient experts. And this is not different for higher education. We always need experts. We need to compare it on the other hand.
So, when I compare it to workforce, then the turnover is a huge difference. So, workforces are typically pretty stable, while we have these peaks in the higher education. I could say, on the other hand, from an entitlement perspective, the student has a lesser complex entitlement structure, potentially, than in workforce. Not necessarily true because there are projects, depends on what you're doing and which classes you are, et cetera, et cetera. And when we go to other people, it might become even more complex, like professors, et cetera.
So, it might be a bit simpler, but it's way more complex, for instance, for consumers. So, consumer identity management, where we also need to deal with peaks with high turnover, et cetera. Consumer identity management is way less complex in terms of managing entitlements, complex entitlement structures in higher education.
So, we have the challenge that we have some things that probably resemble us more of consumer identity. I turn over a lot of people, et cetera, speed of change, and others that are closer to a workforce identity.
So, it's not a single use case. It's where a lot of complexity from different angles come in. And we also have a lot of specific applications, including some legacy like PeopleSoft, which is heavily used.
So, we need to integrate a broad variety of applications from legacy to modern SaaS to serve the needs and to manage the access of the identities we need to handle. So, if you take the identity management scenarios, the higher education clearly is one that has its own complexities or its complexities of its own. And this is something where we need appropriate solutions to deal with them. And where we also need, I dare to say, experience in dealing with these environments and doing it right.
So, and then there are some trends which come into that. Trends that, I would say, many of these trends are not different to other environments, other use cases, but there are still things that need to be kept in mind.
So, the one thing we are facing in virtually everywhere is the trend for IAM modernization. So, we need, in many cases, we have an identity management that is there for a decade or more. And at some point, there's a need for modernization. Modernization is complex.
And so, it is something which needs to be done, which is a challenge. We have IT modernization as well, which means different applications to use, more applications as well, higher speed.
So, when we look at the way we work to data and we have a quick onboarding of new SaaS services, but also SaaS services disappearing after a while, not being popular, not being used anymore. When I was studying, we were using, I think it was, I remember we had another network 286, for instance, in place, which was a pretty simple environment compared to what we have today.
So, it really fundamentally changed. Zero trust, the challenge of increasing cybersecurity, because also higher education is an attack target. We need to implement a strong identity security posture. We have the challenge of regulatory compliance. I think one thing that we have learned is that regulatory compliance requirements rarely go down, but frequently go up.
So, there's more to come, more time. As I mentioned, the skills gap, there are never enough people out there. And last but not least, cost pressure.
So, even while some of the U.S. universities, for instance, have way more money than any German university ever will have, it's still, there's always cost pressure. And we need to be, to figure out how can this be done efficiently. And cost is not only a first purchasing or subscription cost thing, it's at the end of very much an efficiency thing.
So, what is the manpower needed to set this up and keep it running? So, the operational cost is a very important factor here.
So, we have quite a number of challenges we are facing, quite a number of trends. And it is important to understand this, that we are not looking at a simple scenario, but one of the more complex IAM scenarios. Right after me, Greg will go much more in detail here. Before that, I want to quickly bring up a second poll. And that is about what are the primary, or what is the primary factor, it's a single choice question, impacting your organization's IAM budget.
So, is it regulatory compliance driving it? Organizational growth for more people? More security threats and technologies? Or is it the cost?
So, this is a very important question. So, the, is it more that you need to cost, to reduce cost, which is probably more than if your budget goes down, cost reduction.
So, curious about your perspectives here. Again, we leave the poll open for a bit. And I hand over to Greg, who will talk about enabling IAM and higher education, automation and streamline reviews.
Instead, I end my sharing and hand over to Greg. Perfect.
Thank you, Martin. So, as he said, my name is Greg Wendt. I am going to be discussing enabling identity and access management and higher education.
So, who I am, let's go into that just quickly and briefly. My name is Greg Wendt. I'm with PathLock. I'm an executive director of security solutions here. I've been here just about 10 and a half years. Before that, I've worked oil and gas, retail, higher ed.
So, I started in the ERP space in the late 1990s, 97 timeframe, when everybody was trying to get off of the mainframe, you know, year 2000 concerns, all of those types of things. So, that's really the timeframe that I came in and started my career.
So, I've been in and around and seen lots of different issues and challenges through that, through those years. You know, specifically played enterprise architect for many of those years with those organizations. I've rolled out self-service for a retail organization for about 45,000 people that was actually back, you know, in like the early 2000s before real good broadband internet.
So, it was a lot of fun to be able to do a lot of those different projects. So, I've been in and around this market and done a lot of different things.
So, you know, whether it was building servers or onboarding, you know, 50,000 employees. So, it's a challenge and it's always been interesting to see how that flows. I do think as Martin was kind of talking about, a lot of these different challenges do cross organizational boundaries.
You know, when you think about higher education, for example, you see a lot of that in the corporate world as well in like, say, let's say retail or healthcare because you have a lot of onboarding and offboarding and you have a lot of applications that people are going to be using. So, we really see a lot of challenges like that.
So, who is PathLock? PathLock's the market leader in application security, governance, risk, and compliance. A lot of the things that we're going to be discussing here today are some of the access risk analysis, provisioning, we're definitely going to go into that, certifications, role activity monitoring. One of the areas that I really like to call out, though, is the rapid time to value.
You know, utilizing our pre-built content and the way we can deliver the project as a whole, it really gives you unmatched ROI. You can see some of the customers that we work with down below and we've got over 1,300 customers globally.
So, those are some of our customers and partners down below. So, let's talk a little bit about what we're going to be discussing today specifically. It really is about better protection at an overall lower cost. You need to automate certain parts and features of your application governance and you need to modernize your data security and those things kind of go hand in hand. As Martin was discussing, you're trying to get to a landscape and, you know, it's really almost unattainable, but you want to get to the best footprint as possible of implementing zero trust.
You want to get to an area where you can minimize the risk of the organization from all aspects, and really you can start with that from two different areas. One of them is going to be application access governance because you need to understand the risks of what you're looking at today. Some organizations are very strong in application governance, others are not so much, and it's really a broad spectrum of where organizations sit.
So, some of the things that we can do for governance really sits within the access risk analysis.
Cross-application SOD, for example, or critical access, you know, what applications and transactions are people using, and the key there that I would like to really call out to is the cross-application because when you're looking at the ERP landscape specifically and how all of the different applications work together, many organizations have multiple different ERP systems or applications that you need to understand who has access to what in each one of these applications to really be able to see holistically what does my risk footprint look like.
I can't just look at it from a siloed perspective of this is what the person has in financials and this is what they have in HCM, for example, or campus solutions with higher ed. You know, you've got to look at that holistically on a single pane of glass to be able to understand, you know, what that access means to you as an organization from a risk footprint.
Also, compliant provisioning. When we talk about compliant provisioning, it's not just did I give some users some access.
That's, you know, a lot of organizations can do that, but what we're talking about is we are going to provide that access to them, but in a compliant way. So, it's not increasing your risk footprint. It's very important to understand that from the perspective of you can put in those checks and balances to where it's not just, oh, I'm just going to copy this particular user ID and I'm going to give it to the new hire and they're going to be able to do everything that that particular person did before. Maybe that person's been here for 20 years and they don't need the same level of access.
So, it's very important when you're talking about provisioning and automating provisioning that you do it the correct way, which is why it's very important to do it compliantly. Certifications or user access reviews or risk reviews.
A lot of, you know, some organizations definitely, you know, do those at a much higher pace than others. It goes back to that maturity lifecycle we were talking about. Elevated access management and role usage monitoring. You're going to see the majority of all that today within demo, and then we also have application security controls. What this does is this is going to be embedded within the PeopleSoft system.
So, it allows us to implement security features and controls that are allow bringing into today's world, you know, like a SAML SSO type of interaction to where you can bring your PeopleSoft system into the same context as an authentication model that everybody else uses, and you can do that out of the box, you know, especially from our compliant provisioning perspective, and then you also have to look at data, you know, and typically when you're looking at an ERP system, it is always about the data. Who's got access to it? How are they referencing it? Are they looking at it? Are they using it?
Are they touching it? You know, all of those types of things, and you really need to be able to have, you know, dynamic data masking that's contextual to be able to decide should you or should I, you know, mask this data for this particular user at this particular point, and then user activity logging, contextual multi-factor, and data loss prevention and session logging.
So, you're going to see a lot of that as well today. Both of these work cohesively together, which is another thing that you're going to see. This is the power of PathLock of enabling a better together of how we can solve multiple problems for an organization, seamlessly.
So, when we look at PathLock's application access governance, we really have five main areas. When we talk about access risk analysis, this is the area of where we're looking at SOD, sensitive access, critical accesses, all in one view. You're going to see that you're going to have access to it. Compliant provisioning could be, you know, birthright onboarding towards completely automated and lights out. It can also be an additional access request, and how am I going to look at, you know, the authorizations that were attempted to be given to this person? Do I need to compare them?
Do I need to look at risk? Certifications, the user access reviews, you need to do those, you know, either quarterly or every six months, depending upon the person, typically.
Hopefully, you know, some organizations have to do it monthly. And certifications are really something that's coming up to the forefront about and dealing with cybersecurity. I've heard that from a few different organizations because it is best practice. It is something that's due diligence now. Elevated access management, how do I deal with a system with stepped-up authentication or higher privileged access? And then role usage analysis, that's really connecting the did-do to the can-do.
It's very difficult in a lot of ERP systems to understand, here's the authorizations that somebody has, but what did they do? What have they actually touched?
In, you know, most of the organizations that I've worked with, it's always been very sensitive from a security perspective of, I don't want to take anything away from them. I can't prevent them. I don't want to stop them from doing their job. What this does is it allows you to connect those two things and see them together. So what we're going to do is we're going to jump in and demo here real quick. So I'm going to go ahead and bring open a different screen here real quick. Let's go to this one over here.
So I'm going to go ahead and what I want to do is when we're talking about provisioning, I'm going to go ahead into an ERP system. So this is PeopleSoft Campus Solutions, for example, and what I'm going to do is I'm going to change a student's data, and by changing the data, what I'm really doing for this student is I am marking them as we are now no longer recruiting this student. From an application perspective, what we are doing is we are now going to enroll or bring this student. They have said that they're going to come to our organization, and so we need to do certain things.
Typically within the process in PeopleSoft, this is an onboarding event, so if you want to think about it from an HCM perspective, it's a hire. It's something to where you're bringing them into your organization. You need to be able to grant them some privileges, give them access to different pieces of software inside of your organization. So as I do this process within PeopleSoft, this is a normal function. This is what a normal user is going to do. They're not doing anything outside of band. They're going to come in.
This could be systematically done, or it can be a person interacting with the screen like I just did. The advantage to that is when we talk about that, our PathLock system is going to go out. What I'm going to do now is I'm going to run an organizational sync, and I'm going to talk about what's happening as this is going on. So as I kick this off, what's going to occur is PathLock Cloud is going to go out and look at this system that it's configured to communicate with. In this particular situation, it's looking at that Campus Solutions.
So it's going to go find any additional new transactions that are going to cause some sort of workflow event. So basically, what's happening is it's looking to see has data changed in a format that we need to do something with. So in this scenario, the matricking of that student is saying, hey, we need to now create them an Entra account. We need to go ahead and create them account into the PeopleSoft system. We may need to go and create accounts into three or four or five, six other systems, depending upon what type of access they need.
But all of that's going to take place completely automated. So typically, this organizational structure would be automated. You can run it a couple of times a day, depending upon how quickly you need these into the system. And that's going to vary depending upon the type of organization that you are. Major universities typically would do this three or four times a year, really, because it's an event where, OK, they're coming in for the fall term or the spring term. So you're matricking at those particular moments in time. So it's going out, and it's going to attempt to find people.
What's going to happen is when it does find those people, it's going to kick off configurable workflows. Those workflows can actually go run out and automate creation, updating. In this particular situation, what we're going to do is we're going to really show the power of a lot of these things on how our two systems work together. Because the first thing that it's going to do is it's going to create an Entra account. And that Entra account is going to have all of the different roles, authorizations, groups that it needs.
So we can go out, we can provision Office 365 so they can have email, all of those types of things. It's also going to create the PeopleSoft account instead of Campus Solutions, and it's going to have all of the security set up correctly for that person. So that just succeeded. So let's go out and let's look at the first workflow.
So if I look at the first workflow of, you know, with the Entra side of the house, what we're doing in this scenario is that configurable workflow really is going to go out, it's going to start automatically, it's going to create the user, it's going to add a role to the user, and it's going to send an email. Why is it going to send an email? Because we really need that email to be able to automate the processes that are going on in that perspective. We want to notify to the end user who that user is, you know, what their email address is, how they're going to authenticate into the system.
So we're going to give them that style of information. We can look at all of the different requests as well. If I were to go back in, look at the, I can show the requests and see how many requests have actually been done, which accounts were created, all of those types of things. Additionally, we also have another workflow that was kicked off with this particular process that's going to go in and create, so we can see all of the different requests that were just fired in.
If I look at this maintain applications, we were looking at Julia Lawrence, so we can find right here, Julia Lawrence was approved on the 17th, so we could go in and actually look at the details of what occurred through this process flow. Same type of thing as that's coming up. I'm going to flip back over here real quick, and I'm going to open up one of my other ones, and I'm going to look at the new students for Campus Solutions, because this was the other workflow that actually kicked off at the exact same time.
So, both of them were done. There's a reason that that's important, because it allows us to create both of those and really set everything up for us to be able to work through there.
So, we can see the workflow. One of the things that we've got here is it created the account. You can see all of those pass through, and then we've got all of the different audits, which is important, because now we're able to tell you this is how it occurred. This is when it occurred. This is what happened. Everybody was notified. Very easy to process and flow through. Same type of thing with the Campus Solutions. I can show the requests, so we can see that was approved. We've got Jennifer Lawrence here. Same type of scenario.
So, really, ultimately, this one came through, went into Campus Solutions. We've got the approval, and this was all handled by the system, because this was birthright access. One of the things that I like to show and really talk about from the workflows is we can leverage what we know as business roles. Business roles allow us to set up and really maintain that zero risk.
So, what we're going to do is develop bulletproof security for multiple applications that we want this person to get day one. So, if I look at the roles, for example, here, we've got roles that they're going to be given in HCM. They've got roles that they're going to be given in Campus Solutions, and we're just going to give them this. This is what they need for standard self-service. We don't want them to be able to do anything outside of the norm, because if we've got a high privileged user coming in here, we want to go through a different process.
We want to give them that with an additional access request. So, it becomes very methodical and intentional as to how that is done.
So, these users are going to be able to have all of this access and be able to do everything they need to be able to do immediately once they get that access. So, I am going to pull open this email that the system actually shot off to me.
So, you can see here just very quickly, you know, what the user has access to, how they can log into their PeopleSoft system automatically, because typically when you onboard a student, you know, or an employee, for example, you want them to be able to log into the system and immediately start functioning, right? You want them to be able to go in and perform the actions that they need to do within the system.
So, you know, as a student, that's going to be add and drop classes, you know, maybe it's going to be accepting financial aid, all of those types of things. So, what I want to do is I'm now going to take that URL that we emailed them that said, here's how you can get into the system, and let's go ahead and log in.
So, what's going to happen now, because we've integrated all of this together, this is that better together story of streamlining the access and making sure the risk is very low and that they have the access that they need and it meets our corporate standards. So, what we're going to do in this scenario is this person is, you know, we created that intro account, but we need to log in as them to be able to, you know, access their information, those types of things.
So, let's go ahead and put in their user ID. I'm going to now have to put in their original password.
So, now it's asking me for additional information. What is this? This is actually enrolling now in multi-factor and intra because we, from a risk of our organization, want everybody to enroll in multi-factor.
So, we're going to go through those process flows. So, I've got to go ahead and grab my authenticator. Hold on just real quickly here. Let me grab that and I need to take a picture of the QR code.
So, I'm going to go ahead and add an account to my authenticator here real quick. So, I can say yes, I've synced that and it's going to ask me to put in a code.
So, I'm going to put in a code on my authenticator and it's going to confirm that that's me because I'm going through that particular process flow. And then, once it does, it's going to allow me to continue the process.
So, I just registered for multi-factor. Now, implementing my zero trust and I'm going to go ahead and have to step through that one last time.
So, I'm going to put in the number. Yes, that's me and all of that was done in the Microsoft Authenticator app.
So, and now I have access to the system. So, as you can see through that birthright access, we were able to streamline the entire process flow for this particular user. It allows them creation of their intra. It allows them creation of their PeopleSoft account. They can come in. They can access the information that they need to do all streamlined and lights out. There's many organizations that have done this particular process, but they're also, they might have done it 10 years ago, 15 years ago, 20 years ago. The problem is the teams that have done that don't exist.
The person who wrote it doesn't exist in the organization anymore. And then, the flip side of it is they're changing a lot of the applications that they're working with.
So, it could be that they're changing identity providers. They now have more cloud-based applications that they're extending and bringing in that they need to create IDs with. And this is a very difficult thing to maintain.
So, this is one of those situations where they typically don't have as large of teams as they used to have 20 years ago. So, they've been streamlined and they have to do more with less.
So, this is where you can automate it with tools to really implement those cost reductions that Martin was talking about earlier as well. So, I'm going to go ahead and sign out of here. And let's talk a little bit more about a couple of different things because there was a lot of discussion as to what we can provide.
So, I'm going to kind of pivot a little bit here real quick. And we're going to talk about how we can provide data security and access holistically as well.
So, I'm now authenticating into a different system. It's going through single sign-on just like the last one was, but I've got some additional rules and policies and things set up inside of this.
So, what I did was I just transitioned to an HCM system. And when we talk about our application security controls, this is where they're embedded within the PeopleSoft system. And this is the better together story between our whole PathLock solution. This is one of the reasons why we did this as a company. Because now we're able to integrate the information that flows between these two systems that you'll definitely see in a minute.
So, that onboarding, that compliant provision did everything that it needed to do for your users to have seamless instantaneous access to your systems. Now, we need to have those protections inside of those systems, the contextual access controls, contextual MFA, all of those types of scenarios.
So, when we look at this, this is information that by default would be displayed to the users. This is where our data masking, that contextual data masking comes into play. We have the ability to do what we call a click to view, which just toggles the data on and off. No customization to your PeopleSoft system. We also have the ability for a static mask to where they can't see anything.
So, when you're talking about looking at a national ID or those types of situations, it allows you to protect that data. So, if somebody's coming in external to your organization, mask the data. If they're coming in sitting at their desk, maybe, or on the VPN, maybe it doesn't mask in that scenario. But it gives you those controls without having to customize the system. Other things that we can do, I'm going to flip back over to home and let's look at payroll. We do have the ability to take it very far with how you want to implement certain controls.
You can embed multi-factor authentication all the way into your applications as well. So, if you're thinking about a student entering account or an employee entering account, for them to be able to, you know, access their direct deposit information and update that account number, they would have to go through a very targeted MFA. We can configure this with multiple MFA providers.
So, this one happens to be done with Duo. So, I'm going to go ahead and kind of flip through there and show this and say yes. Once we do that, now you have access to the account number and you're able to see it, update it, control it, do whatever you need. Flipping back over, one of the big areas, especially with PeopleSoft, is cutting down on the people who authenticate into the application through two-tier user access. Those are PeopleSoft user IDs and passwords.
So, when you do that and you push everybody to single sign-on, there's still additionally some high-powered accounts that are going to authenticate in with a PeopleSoft user ID and password. That could be your PeopleSoft admin, your DBAs, batch users, run controls, you know, those types of accounts. What we've created around that is the ability to do a switched identity. This is very similar to like an SU in Unix, for example, and it allows you to switch into an identity that you have been granted the authority to use.
The nice part is, as you switch into that account, you don't have to populate the user ID and password because you've been given the access to be able to do this. What we're going to do is some stepped-up logging at this particular point.
So, now we're going to track that this is Vicky Xin, who originally logged in, who's acting as PS1 performing this information. So, when we're talking about audits and controls and everything else that's happening at that particular layer, it really is about being able to report, you know, and answer that question.
So, we keep the context as to who logged in and who's performing the transaction. The difficult part is when you're talking about those two-tier logins, especially with shared accounts, it becomes very difficult to understand who has performed that and who is tracking that information.
So, those are some of the things that we can do very specifically and targetedly. If somebody brings open some information, for example, I'm going to go ahead and just pull open a page here real quick.
So, let's do this. Just pull up some data. What I'm doing is actually creating some traffic here real quick.
So, we're going to pull that open and we're going to open a page. The reason I did that is because I really wanted to show you some of the reporting and the logging that we're able to pull with this because the reporting and logging is very important for being able to understand not only risk, but be able to answer the question as if we did have a breach, what occurred and what happened.
So, I'm going to go ahead and look at the privileged access. And the privileged access is reporting on what just occurred in the side of the system.
So, I need to log in again real quick here. So, this has all occurred in the last 15 minutes. Let's see if it's actually pulled that over.
So, yes, it did. So, you can see in this scenario, we've got the date timestamp, the user who originally logged in, what user did they switch to, the menu, the component, the page, very targeted information, and then also the key that they accessed within that page.
So, as you can see, we understand where and when, you know, what they looked at, what they viewed within the system. So, it is very targeted logging near real time in this scenario. You saw as I popped it open, you know, I just performed those transactions.
So, that gives you the insight as to what that user is actually performing within the system. So, I'm going to switch back over and talk a little bit about access reviews, how we perform that, and what the advantages of those inside of the system.
So, I'm going to switch back to Pathlog Cloud here real quick. And what I wanted to talk about is I wanted to look at risks because the risks are multifaceted and they're going to allow us to build risks across multiple application sets, for example. These risks are all built within my Campus Solutions systems and it's going to be understanding and building that at the level of, you know, who has accessed, you know, certain transactions.
I'm going to sign into one of my other demo systems here real quick just because I want to show some of those cross-application risks at a deeper level and to be able to see that. So, I'm going to go ahead and copy that. Let's pop out of the portal view here real quick. And I can look at the back office.
So, now when I go into compliance and look at risks, you're going to see this across multiple applications. This is going to allow me to have applications. If I filter up here, you can see I've got JD Edwards, Dynamics, EBS, Oracle Cloud, PeopleSoft. All of these things can be housed or within one particular location.
So, that's that cross-application. You can build risks that understand across those different areas of those application sets.
So, when we're building that target risk, for example, I'll pull open one of these. What it's really drilling down into is what particular authorizations do the users have access to within those target risks or within those target applications.
So, the risk can be defined. You can set it up as a medium, high. What business processes does it deal with? But the interesting part is really at that policy level.
So, the policy level allows you to tell what the authorizations are, what the activities are within that target ERP system that this user has access to do. This is an example for PeopleSoft financials at that particular point. If I were to go back to my other system, those risks are all set up for Campus Solutions. But the nice part is those risks are built across applications.
So, now your silos are going to be removed because you can see the risks across those different applications. So, if I were to go back to the portal, what are we going to do with those risks? As I talked about earlier, one of the things that we can do is we can compliantly provision.
So, if I go in and modify somebody's access, this is one of the areas of, you know, I'm just going to grab PeopleSoft financials and I'm going to grab a user here. Let's look at, let's go to here. And what we're going to be able to do since we're syncing with those particular ERP systems is we're going to be able to tell you what authorizations they already have access to. And if you want to add an additional role, for example, so I'm going to go ahead and add in a role. I'm going to pick that here real quick and add that in. We can run a risk analysis.
That risk analysis is going to tell me if there's any additional risks by what I just granted access to that user. So, I believe my headset's dying.
So, I am going to change my microphone here real quick. So, forgive me for that.
So, you should be able to hear me just fine. I'm switching over to the microphone. Let me make sure.
So, now, sure enough, while that was running, we now can see the risks. So, here, if I grant those additional access requests to this user, it's going to create new risks for this user within the organization. Do I want that to happen? Should I allow it to happen or should I, you know, not approve that request? That's the advantage of having the additional access request versus the birthright access.
So, that's one of the things that I wanted to show real quick. Another thing that I wanted to talk about, very targeted and then specifically, is what we call our campaigns and our user access reviews. Our user access reviews are set up. I'm going to go ahead and just pull one of these open. You can do them multiple ways, very easy. We can look at it holistically. How am I going to manage this user access review?
Typically, I like to show this because it's, you know, how many people have already approved it? Who's looking at it? Have they done anything? Do I need to remind them? Do I need to reassign this? Give it to somebody else? You can manage the campaign. When you're talking about running the individual campaigns itself, if I kick off a new user access review, one of the things that you can do is you can select the population. Who do you want to include in this review?
And then, also, what elements do you want to include in the review? So, typically, you're going to be looking at roles. You could be looking at high-risk activities or any sort of other objects like that.
And then, you can select the systems. So, because we are cross-application and we do sync across all of those systems, you can look at them holistically within your review as well.
So, you can schedule one review that touches three or four different systems. So, that information is directly pushed to the managers where they can be able to review that, look at it, approve it, deny it, all of those types of things.
And then, you can save the process and run it and that type of stuff. Once it does run, it's going to kick off. It's going to send an email out to the user.
And, typically, what's going to happen is the user is going to access it via the portal. Our portal allows us to set up a controlled look and feel as to how we want those users to access the system. They're going to look at their certifications.
And, within their certifications, they can look at whatever they need to approve. So, I'm going to go ahead and look at the review for Campus Solutions here real quick.
And, what that manager is going to have is all of the different people who they need to be able to approve. So, I'm going to go ahead. I demo frequently in my demo system with PS.
So, I'm going to go ahead and look at the PS account. And, as that happens, it's going to show me some information on the account.
And then, it's also going to show me all of the different roles that this particular user has. So, as I scroll through, I'm going to go ahead and look for the security administrator, for example.
So, let's grab the security administrator. We're going to pop in and give you additional details as to what this role looks like. You can also do some peer analysis like, for this manager, who else has that role? That's going to be important for being able to look at it.
But then, we've also got the usage. What does this role have that creates risk?
So, there is a risk tied to this specific role. We can also drill in and see more information targeted about this role.
And, this is where we're able to take that information from some of those logs that I was showing you, very targeted and specific. And, we can populate this into the PathLock cloud system.
So, now, we're going to be able to tell you, within this role, what authorizations did they use and when was the last time they used them? So, now, when you're looking at that, of going through as their manager, and I can see, oh my gosh, they've got all of this access that they haven't used. Why do I want them to have that?
Now, I can make a managed decision to understand, I can remove this. They can always ask for it back.
You know, I can remove the risk for the organization because I have that context and that understanding of, not only these are all of the authorizations that they can do, here are the ones that they did do, and these are the dates that they actually did that on. So, it really closes that door and holds all of that together to where you can see what they've done inside of the application, what they've touched, and really takes out those question marks as to, can I remove or, you know, should they have access to that.
Another area that I like to talk about just here, real briefly, is outside of just setting up risks, you can also look at things a little bit differently. So, I'm going to show you high-risk activities, and what I've done with the high-risk activities here is, frequently, organizations are concerned about sensitive information, who's got access to certain transactions, for example.
So, here are all of the different transactions or activities inside of Campus Solutions and PeopleSoft HCM that have access to a national ID or social security number. So, once I define those, since we're pulling in that log data, I can now also say, all right, who's performed those high-risk transactions?
So, I can pull open and say, high-risk activities for user, and what it's going to do is, it's going to show me all of the users that have performed any of those high-risk transactions. So, let's back this up here a little bit, I can take it out here, and let's get rid of that particular user, and just do a display, and now we're going to see all of the users who performed those. You can see they're flagged as high-risk, we've got the activity, we've got a timestamp as to when that occurred.
So, very quickly, you as an organization can say, all right, this is what I deem to be sensitive or important or high-risk, and I can immediately have access to that information. So, now you can see, you know, not only from onboarding to controls within the application to reviewing who's done what, what authorizations are accessed, we can really fulfill all of those different needs inside of your organization.
So, tangible day one benefits for governance and automation from the IT perspective, a 50% task reduction. They're not having to look at things, the security administrator is not having to come in and onboard these or, you know, people into the organization. They can get birthright access, turnkey into the applications that they need, which is going to reduce the risk. It's also going to make it an ease of implementation because it's consistent, it's done automatically.
From the business users, they're going to be able to define, set it up with those roles and all those types of things to be able to get them what they need immediately. So, there's going to be a 70% cost reduction and their internal controls and audits are about 80 cents, 80%. I know we're coming to time, so I see Martin coming back in.
So, I think we're going to open it up for questions, aren't we, Martin? Yes, we are.
So, part number three will be our Q&A, and we already have a couple of questions here. Although some started with voting for the questions, what you always can do.
So, the more votes, the more likely and the earlier we will pick the questions. We only have a few minutes left, so we will need to be a bit precise in the responses to the questions. The first question we have here is from someone here in the Netherlands. Students tend to work as teachers on a part-time basis. Separating student and teacher access in those cases is a dilemma that does not have a simple solution.
So, basically, a segregation of duty and conflict in that sense. Craig, what is your experience with that?
Yeah, the nice part about it is, you know, when you're looking at separating the students from, you know, employees and the access that they have, we are going to sync normally with the HCM system. So, we're going to understand what roles they have, you know, what they do for the organization, and then we're going to be able to apply that through those business roles or through the design, so that user has the access to, you know, whatever they need specifically and targetedly, and they're not over-provisioned or under-provisioned at that particular point.
So, that's the nice part about the way the Pathlog Cloud solution can communicate with both and multiple systems of both Campus Solutions and HCM to understand who is this person and what role do they have for us as an organization. Okay, how does your system handle the influx of large amounts of identities in very short periods?
That's actually something that we've spent a lot of time tuning, you know, because you are talking about onboarding some organizations might be, you know, five to ten thousand at that particular point in time, and it's going to go out, find those users, and it's going to process through those. So, we've spent quite a bit of time tuning those particular processes to where those workflows are going to kick off and run efficiently onboarding those people.
A lot of times it's going to be scheduled, you know, that might occur in the middle of the night, depending upon how your organization wants to onboard those users as a group as well. So, typically that process of the student onboarding is scheduled at a particular point because the organization wants to control that flow through all of that onboarding, if that makes sense.
Okay, one more question. I think we have a few here still. Do you think that it's good to combine workforce and students, so staff versus the students, in one IGA for provisioning, or better to use a consumer identity system for students and IGA for the workforce, or generally said, splitting the systems up? I have my perspective because, at the end of the day, you have too many joint target systems, and splitting it up probably adds a lot to the complexity.
So, I think it's better to work with proper entitlements and SOD rules. Yeah, I would actually agree with you on that, Martin.
You know, we've got hundreds of customers that are higher ed. I don't know anybody who maintains different systems for the different workforces or the employee side or the student side.
You know, it's one of those situations where it's just, I think, a little bit chaotic. It would be chaotic inside of the organization to keep track of that.
So, it's easier to do it, you know, at the system level. So, you know, I would say it's easier to manage together.
Yeah, so I think we can pick one more question, which is, does PriceLog deliver an out-of-the-box rule set for SOD and risk? So, focused more on this higher education.
Yes, yes, we actually do. It's a best practice type of, you know, out-of-the-box rule set that we're going to be able to deliver.
You know, the organization itself can quickly implement additional policies or rules if they've got something custom into their organization as a whole. But we are going to deliver you a baseline of rules so you can move very quickly to understand the risks that you currently have in your organization.
Okay, perfect. So, with that, I think we're at the end of the time we have.
Thank you, Greg, for all the insights you've provided. Very, very deep insights, very fast and comprehensive demo. Thank you. Thank you to everyone attending this Google call webinar. Hope to have you soon back in our upcoming webinars in 2025, in our events, et cetera. And with that, I would say thank you and happy holidays.
