Jim Taylor, VP Identity and Security Management, NetIQ
April 18, 2012 8:30
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Jim Taylor, VP Identity and Security Management, NetIQ
April 18, 2012 8:30
Jim Taylor, VP Identity and Security Management, NetIQ
April 18, 2012 8:30
Well, good morning. Good morning, ladies.
Gentlemen, we're going to make a beginning. Now, if you would kindly take your, take your places as we gather, very glad to welcome you and to introduce our first presentation for this morning, we have three, three keynote one after the other little bit of a more relaxed pace than yesterday. I'd likely to introduce Jim Taylor, who was on our panel yesterday, for those who were here, his VP of identity and security management at net IQ and his subject is leveraging identity or leveraging. If you're an American, I'm happy to provide two options here to manage enterprise change and complexity.
Okay, great. Thanks very much. Okay. So what I wanna talk about a little bit today is just the changing dynamics of changing complexity and what that means to us. What are we really trying to do? What are we really trying to achieve with identity and access and security? So I've just put up what I believe are some fairly ubiquitous goals in terms of some of the things that we're trying to achieve. The first one is to control the risks and challenges of computing across multiple environments.
Second one users should have the appropriate access at the right time to do the com to the computing services. They need to do their jobs. And then finally all computing should be secure, compliant and portable. So they're the overarching goals that I really want to talk about, you know, what are the problems that we have in achieving those, and what's the best way to go about doing it. So let's get into a little bit of changing complexity and what that means, which ultimately is more pressure on identity and access management. We all know that attacks are increasing.
And if, if, if you argue that they're not necessarily increasing, they're certainly becoming more visible. The impact of the issues that we're seeing is becoming greater and greater. We all know that everybody's going mobile, bring your own device. Having access to everything from everywhere is just a constant in the world that we live in nowadays. And the clouds here, of course, everybody wants to consume something as a service. A lot of enterprises are moving applications out to the cloud. A lot of people are consuming things in, in multiple directions.
So the environment that we live in is constantly changing. And of course, we gotta do all this in the context of either a little bit less money, or we have to do more for the same. There's one big one. That's not on there. And that's of course we have to do everything under the, under the umbrella of regulation, compliance and audits. So these are really some of the key factors that we see putting pressure on companies, making it difficult for them to achieve those goals that set out right at the beginning. So let me just build this slide out. So let's talk about some of the detail.
What are some of these things mean? Well, for it, to be able to deal with these things, it is under constant pressure to deal with things like conflicting responsibilities, supporting compliance initiatives, while at the same time, being able to adapt and be flexible and change to business needs significant and multiple business user requirements. The business wants access to services and they want it right now. They're not willing to wait. So there's an enormous pressure on it to be able to do that. The business wants access certification.
They want to know who's got access to what the business is also looking for things like delegated administration line of business managers want to be able to grant access or rights, things like that, to the people who work for them, they want that flexibility. They don't want to have to go back to it to be able to do that. And then activity monitoring and reporting. The business wants to know who's doing what with their assets, who's interacting with them and what are they doing? We're also dealing in the same at the same time with things like multiple user environments.
We obviously have multiple platform, environments, windows, Unix, Lenox, all of those things. We have a host of applications that we have to deal with financial and business applications. We have a host of people that we need to serve with these things, our end users, partners, customers, things like that. And then of course we have all of the SaaS applications in the cloud as well. On top of that, to solve some of these problems, we have to use multiple technologies.
We've gotta use things like identity management, access management, access government, to be able to deal with some of these problems, be able to cope with them successfully. There's a whole raft of tools that we have to use. And then finally, the multiple delivery demands, standalone solutions, integrated platforms, virtual appliances, and again, SAS. So how do we cope with all of those pressures? All of those changes, this ever, ever increasingly complex world that we live in. We net IQ believe that the answer is the identity infused enterprise.
It really all begins and ends with the identity. If you can adequately identify somebody or something, then you have a shot of being able to manage them. So if it's all about identity and access, what should identity and access do for you?
Well, let's start with what is an identity? Who or what are you now? We believe that identity, isn't just restricted to people. My cell phone, my tablet, my assets, my services, all of those things have identities as well. They obviously all need some kind of role or mapping or grouping. I need a way to view them, to be able to look at them, to manage them as a collective. And then obviously they all have relationships. If it's an employee, they have relationships to their managers, to their contractors, to their assets, to their phones. I have a relationship with my cell phone.
My wife doesn't like it, but it's true. So once I know these things, once my identity's provided I who I am, what group, what role I fit into and what are the relationships I have with the things that I interact with, be them people or assets. Then based on that, I should be able to grant membership and access based on the things I know about myself, I should be able to grant myself access to things like applications, systems, data groups, physical facilities, and resources, things like that.
So if identity and access is really working, and I know who I am based on who I am, I can grab myself access to the things I need. So let's a little look, a little bit deeper at access. The big picture. What does it mean across your enterprise? What does it mean for companies?
Well, one of the biggest questions that companies always ask us is how do they know who has access? How do they know what that level of access is, what the type of access it is and who provided that access? Hopefully these are all questions that you ask yourselves, what's that access reviewed and is that access appropriate? And that's a key, is that access appropriate? That's something that we see more and more today with the rise of governance, the ability to be able to go and validate that someone has the right access over time and to revalidate it and revalidate it again.
The next big question that we look at is, is that access secure? Can I monitor what is being done with that access? Do I know if I've granted Jim Taylor access to an asset, what he's doing with that access, and what's the risk of giving him that access and is the risk the same, regardless of whether he's in the office, he's working remotely, he's logging in from a hotel in Germany. How do I manage that? So next big question comes down to flexible fulfillment of that access. How can I provision that access across all of the different environments that I live in?
And of course, a big one that we should never forget is privileged access. How do I manage those access for my key users or to my key assets when I need to grant them additional privileges As a user? One of the things I always ask is how do I gain access? Am I able to sign on from any device anywhere? Is everybody able to, can that access be federated? Or what do I need to do? What are the hoops that I have to jump through to be able to gain access a quote I heard last week, which I think is very relevant today is work is not a place I go. And it's a thing I do. That's a change.
So we all take emails, take phone calls, do work remotely nowadays. How do I manage that? So ultimately this boils down to a set of key questions. The businesses really need to know. They need to be asking themselves these questions constantly who has access to what is that access appropriate? Has it been checked and rechecked and rechecked as a company? Are we compliant and can we stay compliant? Do we know and understand our risk? And can we mitigate it? I think if every company could answer those questions successfully, then we'd be in a very happy place.
That's really what I believe to be the goals of identity and access to provide companies, the answers to those questions. So why should you care?
Well, if you can grant the right people, the right access to the right resources at the right time, quite simply, it has an impact on your business. It means money. It means productivity. It either saves you cost because your assets are working. You have a zero day start or a zero day stop, or it makes you money because you're a lot more productive. It needs to move at the speed of business, The regulatory pressures, we're all aware of them. We all know that this issue is now raised itself. Security has become a real conversation. Security and compliance is often discussed at a board level.
How do I deal with that? How do I manage my internal audits? Everybody remembers how painful these things are and how difficult it is to go through an audit, well, identity and access, a good solid identity and access system allows me to answer some of those questions. It allows me to not worry about that. If I can get a day to day realtime picture of where I am, who has access to what and what they're doing with it, then I'm a long way towards being compliant and mitigating risk. We all wanna stay out of the press. Nobody wants to be in the press for security issue.
The impact of these issues these days is just growing and growing and growing. We've seen over the last couple of years, the significance of some of this, if you just think about some of the costs involved in some of these things, society general 7 billion UBS, 2 billion, who knows what the ultimate cost of Sony of the PlayStation network going down was compare that to the cost of being able to have a solid identity and access system. So what can you do about it? How do you answer some of these questions? How do you manage this situation?
Well, as a software vendor, what we found is that, well, certainly my view is that over time, a lot of software vendors have developed specific technologies to deal with some of these solutions. And fortunately, a lot of these things were driven by separate market needs, point products. And in general cases, integration was an afterthought. When really what I need is a holistic picture. I need to be able to tie all of this stuff together. I need to be able to know who has access to what is that access appropriate and what are they doing with it?
So even though many vendors have started to improve the integration between things like provisioning, access management, security solutions, we believe that a different approach is needed. We believe that the next generation of identity solutions needs to leverage and share common intelligence. Now that doesn't mean one all encompassing as, as Martin Kumer likes to say big fat monolithic thing. It just means that these technologies need to be integrated. They need to be able to talk to each other. They need to be able to share information with each other.
We believe that things like common user interfaces, sharing of data between these technologies is critical. What it really gives me is if I know who somebody is, what access they have or what they're doing with it, it gives me context. It gives me context and information about the things that are going on in my world. If I have that context, then I'm able to act accordingly. I'm able to make the appropriate decisions. I'm able to manage my security policy. I'm able to understand, mitigate my risk.
So I wanna talk about a specific example and that's user provisioning and access governance, which is obviously something that's a fairly hot topic at this point. So really what we saw was two different markets or two different needs growing up in parallel within the identity space, user provision and access governance, user provisioning was really driven as a technology. It was techies selling technology to techies. It really was a very, very kind of, not really very well understood by the business business. People know that they want access, but they just don't know how that happens.
And then you have access governance, which was really driven by the business itself. It's a, a set of technology. That's focused at the business user around the business user, wanting to know who has access to what the business finally being held accountable for that and the business really wanting to know that they can validate that access. So what we're seeing is convergence between those two technologies.
We're seeing that user provisioning driven by the, it is demanding now business centric, interfaces, things where the business business can request access to things, change entitlements, things like that. We're seeing that access governance is really demanding significant fulfillment. It's one thing to be able to do an access review, to be able to check somebody's entitlements. But if I change an entitlement for somebody, I want to know that that's happened.
I want my access governance technology to pass that change to my fulfillment technology, my fulfillment technology, to complete that request and to report back to the access governance that it's done. So I want closed loop. I wanna close the loop between governance and provisioning. So really see next generation identity and access governance, being a business interface with trusted fulfillment. So some characteristics of what we see as being next generation identity and access governance.
First of all, it needs to provide a common platform that's flexible and provides a variety of integrated services. I need to be able to plug things in and take things out of this quickly and easily. Can't be difficult and can't require a lot of work. I need to enable my vendors, my partners, my customers, to be able to select the solutions, the level of governance, the level of provisioning, the types of activities that they want to be able to do in a modular fashion. I need to simplify my deployment, my management.
I really need to enable my service to be able to dynamically add and remove or respond to the changing business requirements in my environment. We all know that the speed of business is getting quicker. Day by day. I have to keep pace with that. And then I need to intelligently be able to react to changing service levels. I need to know when a service or a system or an asset is under pressure. I need to be able to manage that. And obviously I seamlessly, I wanna be able to seamlessly provide my identity services across all of the environments that I deal with cloud mobile, everything.
So I'm really looking at an identity hub. Obviously it needs to be able to perform it needs to be platform independent. So here are just some of the things that I, that we think are really what you need. Some of the, some of the areas that we think need focus that businesses need to solve. So within the identity and access governance space, we obviously have compliance. We have access request. If I'm in a position where I can create an enterprise entitlement catalog, that becomes a natural place to shop.
If I have a, a list of all of the entitlements that everybody has, then that's the easiest place for me to go, to be able to add or remove or change entitlements. I need to be able to recertify. I need to be able to check that my users have the appropriate access, that, that access is monitored and certified. That the people who manage the businesses, the line of business managers are checking that Jim in accounts, doesn't have the ability to create invoices POS and write checks. If that's the case, I need to know it. I need to be able to use those entitlements to manage my roles.
And then obviously I need to manage entitlement CRE. And that goes along with the whole theme of knowing constantly being in a real time situation where I can manage these things. So the next big block for us is identity and access management. Once I have my governance in place, I need to be able to provision. I obviously need to be able to fulfill, manage those things. I need to be able to either federate or trust my authentication. I want my sign on to be simple and secure.
I wanna be able to create a way that my use can get at those assets easily or appropriately, depending upon security needs. I obviously have to cope with things like SASA mobility and obviously active directory plays a big part. I need to be able to manage that. And then of course our privileged users again. Now the other piece that we really believe that you need to tie this to is your security is one thing to be able to manage your identity and access and be able to know who has access to what it's a whole nother thing, to be able to know what people are doing with that.
If I can time my identity to my security, if I can add identity context into something like a SIM, my event management, if I can see that Jim Taylor is logging on from two different places at the same time using two different accounts, then I know I have a problem. So security management becomes key in the whole identity and access power in the whole identity and access conversation. It allows me to be able to do things like manage my configuration log management correlation.
Once I have correlation and events, if those, if those events that are flown through my security systems have been enriched with identity data, then I really am able to tie everything back to individuals, to users, to assets. And then finally, obviously through my security, I wanna be able to remediate if I see something that's happening that I don't like, I wanna be able to manage that situation. I wanna be able to react in real time. So obviously a little plug for Niq here's the products and solutions that we provide to solve some of these problems and capabilities.
But the key here for us is that all of this is built on a foundation of identity. Everything we do from identity to access to security is all done in the context of identity. Everything is tagged and managed as a unique identity. Once I have that ability to truly identify who somebody is, then I'm able to manage them finally, just a little bit of Niq. So I kind of raced through and jumped ahead of schedule.
So, so that's it. Thank you very much. Thank you very much.