Keynote at the European Identity & Cloud Conference 2014
May 13-16, 2014 at Munich, Germany
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Keynote at the European Identity & Cloud Conference 2014
May 13-16, 2014 at Munich, Germany
Keynote at the European Identity & Cloud Conference 2014
May 13-16, 2014 at Munich, Germany
At this point, what I'd like to do is work. Welcome duke vis Vek, VK. How am I too? Am I too badly offered that Sur name?
I'm sorry, SK, I'm sorry. Sorry doc. Thank you. So good morning, everybody from my side. So within Ko Matthias bank, I'm a global head for governance and authorization management. And I'd like to share this morning with you, our approach, how we get the challenges in the identity and access government environment under control and managed. And first I would Like to spend some seconds on the complex environment. So why is this environment so complex and what does it make? So challenging? Cause on the first side it looks quite easy and not so complex and more simple.
You have your employees on the one side and you have your infrastructure, your applications. On the other side, the complexity comes in cause you have lots and thousands of employees within commas bank. We are talking about roughly 50,000 on the one side and on the other side, approximately 2,500 productive applications all over the world.
So, and these two parties are dealing together day by day, shifting terabyte or petabyte by data from one side to the other. And of course you have to fulfill certain regulatory requirements like need to know principle or segregation of duty And, oh, sorry, this slide skips a bit, but I think you can remember the faces as well, even if you can't see the short text to it. So what we want to make sure at the end of the day is to avoid fraud cases and only picked up the iceberg here.
As you can see, you might remember Nick Leason, the big fraud case at bearings bank or Jerome, Cav, yellow or Kiki ABI the rough trading scandals at the UBS. And of course it's, you cannot avoid to a hundred percent, but it's the question. How high can you raise the level to make these fraud cases not come true? Cause what you can see are, if not can see at the moment here on this slide, if these cases come true, there are very big amounts of money in the fire like leasing.
There was, we were talking about 208 billion and at association it has been 4.9 billion. And of course, why is this so important for authorization management? Yes. On the one hand side, you need a certain criminal intention to carry out your fraud or bad plan or whatever. But on the other side, you need to have the yeah. Possibility to carry out your plans in form of access rights or entitlements to make your fraud plan come true. And to make this not so easy and to get it under controlling quite well.
We started right within the integration with ner bank or just coming out of it, a global project and addressing these three major stream. As you can see here on this slide. So we set up at first on the top is so-called governance stream for aligning our policies processes and get all our responsibilities in this authorization management area under control and set up. Then as so-called second line of defense, we set up a global and centralized re-certification stream.
So checking on different time periods on a centralized basis, the given approvals to our entitlements are these even even necessary at the time, do they fulfill the need to know principle are our segregations of duties checked and so on and last not least on our very critical events. We set up logging and monitoring at a certain net at the bottom. Now a bit more in detail. What are the challenges on the one hand? But on the other side, what are even the opportunities in this large and complex field?
So the challenges are on the first side, as you remember, my, my first and introducing slide with the 55,000 employees and 2,500 applications on the other side, this application and instruction environment is changing day by day. It's not a stable basis. New applications are launched. Old ones are going out of used. You are doing adjustments and new functionalities, bring this into your applications. And this even has an impact to the authorizations and entitlements in the applications. So you have to walk the line on these changing environment.
Secondly, in the middle, the regulatory and re requirements, even for the financial sector are raising and increasing more and more. I only want to pick out one specific thing here to give you a short glance of this. So if you keep in your mind, the fourth amendment of the so-called ma risk we have in Germany in former times, we've been good if we did a re-certification on a yearly basis. Now in the fourth management, this ma risk requirement is talking for the first time of half yearly. Re-certifications so twice a year of critical it entitlements.
So the timeframe is shortening for re-certifications. And the second thing is the amendment only tells you, yes, you have to do it for so-called critical it entitlements, but what are critical it entitlements. You have to define those for your company and for yourself and get this under control.
This, the regulator isn't telling you and burping is of course, by doing all this, you have to make sure that your operative stability is insured all over the time and your business is running. These are the challenges. And then the bottom line, you can see the opportunities. The main point for us in the financial sector is for every risk. We have to lay down a certain amount of so-called op risk capital, and the better we get our risks managed and under control, which is done by this approach. The lower our operat capital is at the end of the day.
And we can use this capital for other things in our business. And this is I think the better and more effective use than laying it down for potential operational risks. And second thing is, of course you can reduce in the long run your license costs as well. What I would like to share now with you is what are over the last years, our so-called key learnings in this mastering, the IEG challenge. The main point from my perspective, I put in the middle of the slide, it's the sustainability of the approach. Course. We are global player.
We have international units, even in Singapore, in New York, London, or our hub in Luxembourg for total Western and central Europe and all the branches there. And from the start we set up these model with this three major streams as a global model. And second's thing is, and I named it and you see it in the left down angle. Tell me more. I'm all ears. You have to go.
Therefore I'm convinced for, into a dialogue with your business, with your colleagues in this environment, this is not a topic you can design in the head office and throw it over the fence to your business units and tell them, okay, these are the roles and regulations just carry it out and leave them alone. No, you have to go to them. You have to talk to them and have to go into a dialogue with them. And this is what I mean with sustainability. You have to do it not only once and kick this topic off, you have to do it on a permanent way.
Cause as I went for the first time with this topic, and I think you all will share this. This is not a sexy one. This is something which is critical, which is costly, which is not earning money. Cause you need money for doing this and get this under control. So it's not laughed by your business units. And as I went for the first time to our international units in Singapore, New York, they react like, okay, there's a guy from the head office.
Yes, he's responsible for it. He's talking for us to these topics. Mm let's see. But as we went a second, third time there, then they made the shift in their mind and they thought, okay, this is serious. These guys from Frankfurt are coming again. And they are stressing us with this topic and it is severe and it is necessary. And of course, what they see is that we do this approach and I had it as headline on the last slide. And I just, once back you see it there, we do this, not all these things and activities in this environment for fulfilling the regulatory requirements.
This is the necessary thing to do. We do it cause the, the security of the data is our motivation. Cause as I said, in the first slide, we are dealing with customer data sensitive customer data day by day. And it is very important and necessary for us to carry this, to care with this data in the sensitive way, which is needed.
Oops, wrong direction. Okay.
Yeah, here we are. Back then. What is one thing we learned, which is necessary as well? It's a risk based approach. Define a model for yourself. What will you do in these dreams? Or what are your, your major things to do in these dreams? Do you have to recertify for example, are your applications every year or can you divide them by using risk based criteria to build certain tranches for critical things in a more shorter period like sod checks for let's say only important or not so relevant applications in a longer period, to give you a short example.
If I'm talking about entitlements in our, for example, limit system for setting up loans in the business, I think you will say, yes, it is important. And it is critical. If an employee has here not the right entitlements in this systems too much or too less here, we should check in the very short period. The other end of this line is, Hmm. Does it care? At the end of the day, if someone in our company has more entitlements in, let's say PowerPoint or VI to draw a charts or diagrams, no, there is no risk in it. At the end.
Next major aspect we learned and we carry out is please focus on policies and processes and people on the first step. This is why we started our governance stream with these three aspects at the, at the beginning, and to set all these policies, these processes, and these people in place and get this responsibilities managed and under control. Cause if you have this in place, no it tool can help you to set this up. You don't know from where to where to shift this data, how to execute your processes in re-certification in granting access controls and so on.
But once if you have this under control, then it's the right point to select an it tool which can help you. And this step we made right last once year, we started on a very pragmatic approach. In our first re-certifications up to 200, 300 applications a year we did on a spread chase shape basis with SharePoint. This worked quite well by this. We learned how this process can be managed and controlled how responsibilities work and so on. And now we shifted it into a tool. And with this tool, we are now able already this year to do a re-certification for approximately 650 applications.
And the number is scaling up and raising and last, not least to make it sustainable and to get the intention and sustainable contention of your management. You need for this topic, the setup offer so-called controls and key risk indicators is quite good and not bad idea. So we set up, for example, a key indicator for measuring how high is our documentation level concerning authorization concepts.
And if this level is under a certain percentage, the traffic light goes to yellow and our management is on alert status and can go to the executives and tell them, Hey guys, what's going on in your sector. I think you don't have your authorizations quite well under control. Please get it back in line. So this will help you to do this And let me close. And we had this of stolen slides before in the presentations. This is one again, no, not stolen. I asked Gartner colleagues, of course, if I can use and show this slide, cause it puts it in a nutshell for me.
So if you ask me, what is the essence of I am for the business and what is identity and access management good for? You can just say it counts on accountability. It makes the things transparency for you and it gets you the things under control and managed at the end of the day. So far from my side at the moment for a short and brief tour over this topic. And if you want to hear more in detail and get now interested in this, please join again at the afternoon session light right after lunch break.
Then I can tell you in a more detailed way, how was the setup of our streams and what kind of different activities we carried out in the last years? Thanks.