Battle-Tested Strategies for SaaS IGA

Alright, good afternoon everyone. My name is Janna Nan and my presentation is about battle tested strategies for ICA or SaaS ICA. And many idea is to help the, the people who are going to buy a new SAS ITA solution to select the right product and for their needs. So short commercial break. So I have worked all my career in the digital around the digital identity, so ITA pam, external identities ad and so on. And in the last few years my work has shifted towards the cybersecurity, like probably all yours.

And before my IT carrier I was playing counter track professionally and people know me as CO in the eSports world and now I'm in the cooping. So alright, if you are wondering why there are other McKinsey slides, it's because our legal so, so that's why these slides are like this.

Alright, end of the commercial break. So if you are wondering at this time, at this day in this room you probably know the basic concepts, the identity governance and administration and then the software as a service.

But I, I would like to highlight, so when you're selecting the product, concentrate in the architecture. So be sure that the, if the some IGA product is offered as a source service feature that it's built on microservices so to say. So there are plenty of vendors who say that they're offering source but it's actually the same traditional ITA product that is just hosted on the IS and you can pay it monthly so to say, okay, let's continue.

So if my background for this presentation is that we had the very large tendering process for SARS IGA, so I'm from SK company, what is one of the largest companies in Finland and I think the tendering process was one of the largest IGAs in in the Nordics so to say. So these are the insights from that, that tendering process. So we found out there like three trends in the IGA market. So basically identity security, it has become the key component of the cybersecurity. So we have saved it from the on premises to cloud and now we need to secure our identities.

Then there are quite many new players in the market and there are a lot of M and as undergoing all all the time. So it's kind of hard to know which company bought which company so to say. And then there are like new capabilities and new emerging technologies. Secondly, I would say that there are, most of the products are converting into kind of the unified platform. So ICA vendors are developing additional services like PAM or B2B management or EM and those kind of services around their ICA platform. Then the BA pam and access management vendors are entering to the ITA space.

And if you are buying the ITA product today, you will probably need to think about how does that platform support your other needs. Let's say B2B management or Pam and all this has led us the IAM leaders in the, in the confusion. So we are thinking about how to support our cybersecurity like modern SEC identity security needs, how to handle all the regulatory compliance, how to fulfill the terror trust needs and so on.

And then there are like when you're choosing the product, there are a lot of products in the market and then you need to kind of balance between the on-premises ITA, SARS ITA and then the lightweight solutions. So when we were looking for the capabilities, this is kind of the metrics of different capabilities that we were looking for.

So I will say there are the basic, basic functionalities, let's say identity lifecycle access request and audit, that it's kind of to easy to achieve as a software vendor but very often it's kind of easy to achieve for you to, so for the organization then there are more likely the major features which requires more depth in the ITA product. So let's say role management, so these and those kind of things and how, how well those does those implement in the, let's say SAP and so on. Then we have kind of the advanced category. So this is all the cool new stuff.

So advanced analytics roll out, layer detect and that kind of m features and so on. And of course the AI and maybe in this presentation the last and also the least, so the customization which is in yellow. So basically to kinda achieve the SaaS ITA you kind need to let go from many of the customization cases.

Alright, so we think that there are like three different categories. So traditional ITA solutions which are the full ITA, so so many traditional ITA products, let's say SalePoint and one identity all saving and so on.

And those, those will kind of fulfill the needs of an organization that are very large, complex and highly regulated. They usually have quite heavy on-premises footprint and managing and updating these products have has been challenging for many organizations. And on the concept there is also the, that you are often missing all the new capabilities that will be built or could be only built on the cloud. Then on the light IGA side, these are offered a source, they will fulfill your basic use cases. They have the very modern user experience and they are built as a source service.

And these product products in this category we are kind of developing very fast towards the source delivery ICA. So they are trying to get rid of from the light status and there are still some limitations when we go to the major and advanced categories. So those are quite limited and I think that those kind of fee products fulfill the organizations that are cloud only or can wait some time until the features are available. Then under the last category we have the source delivered full ITA suite.

So they are full ITA suite that are developed straight to the microservice architecture and to the cloud and you will get, get the updates and improve it without the large basin up upgrades. And on the corner side on these products you would need to kinda let go of the control of your infrastructure but also on the extensive customization and these are the products that are targeted for lots and complex organizations.

Also the, then there are some vendors like let's say Fastpath and Netflix who are offering us, so this and active directory integrations and so on in the IGA space. Alright, if we map these capabilities into the, these three categories, I would like to point out three, three things. So if you have a very customized environment and you need heavy customization, I think it's very hard to manage that or get that done with any other products than the traditional ICA solutions.

Then secondly, there when you are doing the, like the procurement, there will be like a lot of features that the vendors will say that they have, but you need to kind of deep dive into those features and check do they fulfill oil requirements. So many, many of those are still a bit limited. And then if you are going for the source there with ICA, you need to let go from the customization.

Alright, all right, so these are the actual findings for from the procurement. So if we start from the left side corner so vendors don't know your organization, your requirements, your data and so on. So we had a quite much of the open discussion with the all the participants in the RFP phase and the RFP sessions and we try to describe our long term requirements and share like a lot of our architecture, a lot of material about how our organization works and so on. Then I think the second one is the most important or, or we learned most from it.

So basically when you are buying something and you are new to it, you did not have probably the knowledge about the market, the products and services and capabilities. So what we did, we had to very large RFV round where we interviewed or got the presentations from a lot of companies and then we selected few of those companies to deep the discussions in the RFP phase. And the point from there was that every company excels in something.

So you will learn a lot if you see like 10 or 20 presentations there might, someone might be very good at the support services or someone might have a super good plan for implementation. Then the third point, so there will be a kind of heavy information fluid during the process. So basically provide some buffer time. Don't try to do this as fast as you can because otherwise you can't enable the material learning for you. And then we all have these kind of RFP materials in most cases.

So, so you might have a 200 questions, example questions for the ITA, but try to provide your own precise questions for your own requirements and your for your own needs and ask those from the vendors. Those will help you a lot more than the the 200 example questions which will be copy pasted from, from the vendor side. Then as a buyer you will end up in a situation that you will be uncertain about your decisions. So basically you should get someone with the previous experience from the RFP or RFE processes, preferably from the vendor side.

So basically I joined SOK from the consulting, whereas I was a digital audit, the lead for note cloud. So I kind of knew how the partnerships work, I have seen the prices and so on from many vendors or if that's not the possible possibility, you could use let's say call analyst Calls Or or materials or consultancy to help you.

So, and I, I think those kind of things, it's good to have a, at least like a few calls during the process in let's say one in the end of the RFE and one in the end of the, or middle of the RFP so to say. And maybe the third tip is to talk to your peers who have done it, done this before or are in the same position. Alright. Then the last perhaps, but not least tip is that in many presentations or websites and so on there, there will be a lot of capabilities, but these will only exist partly in the marketing in the real world, but they'll be full in the marketing slides.

So they will listen the details. So take time and go through all your needs and try to understand the product capabilities and, and also the limitations. There are always limitations in all the products and ask for POC or demo from the vendor. This will be very helpful for you.

Alright, I have three minutes left and this was my last slide. Thank you very much. Yep. By the way, taking your eSports name, you know what my nickname was in school, What could be Could be.

Ah, alright, so I I still probably react quite well. Could be, Yeah.

Trademark, Which makes, by the way, the next question a bit tricky or the question which came in we had a bit tricky because it starts with hey, copy. Yeah.

So, but in this case it goes to you and not to me. How do you manage based on a SaaS based IGA platform or I platform to still meet customization requirements? How do you manage those? Like how do you manage? That's Just a question.

How, how do you deal with customizations? Well, I think you can do it, but my tip is kind of to avoid it in most cases because if you are getting updated constantly, you will, someday you will end up in the problem with the product. So if some feature or some of your customizations might not work. So that's maybe the approach for that.

Yeah, And, and maybe on customizations a bit ago, I've been publishing an article on LinkedIn about customizations. I think this and the discussion behind it is very worth to read because if you customize do it right and it goes back to the architecture so that it doesn't break immediately. And so that requires good architecture.

Yana, thank you very much. Or Ku, thank you very much for the session and the insights and.