|
What if we took the traditional way of thinking of Identity Governance and reversed it completely? Putting together a successful IGA program has commonly been a long haul, |
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
|
What if we took the traditional way of thinking of Identity Governance and reversed it completely? Putting together a successful IGA program has commonly been a long haul, |
|
What if we took the traditional way of thinking of Identity Governance and reversed it completely? Putting together a successful IGA program has commonly been a long haul, |
The next panel is about the modern approach to identity governance. Please welcome on stage gay Linsky. And of course we have also on stage Austin Baker from, and, and gal from plain ID. And also again, Martin, Kuppinger the founder of co and Cole and me, your moderator, Fabian Z also from Kuppinger so great to have you here. So that you've been again on stage today. So the modern approach to ID governance for me, everything's new here. So what are the major challenges or maybe also pitfalls or cost drivers?
If we are looking at ID governance of a traditional ID governance, maybe you would like to start. Yeah, sure. I will. So I'm a gal co-founder at plain ID and chief informa innovation and product officer. And the main challenge is I think with governance of ID are numbers just numbers because today organizations are dealing with huge amount of numbers.
When it comes to governance, you need to collect all of the identities with their access, with their authorization, and you need to go through certification processes in order to see what those identities have access to and organizations today are spending huge amount of time just to go through those processes. And that is the main challenge I see though.
Yeah, I agree. I think a lot of time is spent in preparation when a lot of it has to do with sometimes the methodology, right. So I see people, you know, just like the conversation we just listened through, right?
So the, you ironing out all of the actual life cycle management process first, before we're getting into the, like the access certification process. And so we're starting to see some people take the reverse approach of pulling all the data in to see it in one spot, find the outliers, certify the access and then get into, you know, life cycle management. So as an example, so that we're shortening the timeline to the value that we're getting. So we're getting some kind of value quicker, so that, that cost is justifiable.
So, And, and I think so when I look at my experience, it is we need to, to look at how can we make it more efficient. So, so when I look at traditional role management, I don't think I've ever seen a role management project, which went really smooth, right?
So, so maybe it went maybe not, but smooth, probably not. And for recertification, I think it's, it's a way it's something we need to do, but we, we need to do it as good as we can and also think about how can we make it better? Because also, I, I, I dare to say, I never seen an organization globally where people said, okay, if you go to my departmental managers, every one of these department managers will tell you, Hey, re-certification, I'm really waiting for the day when I can do the next re-certification because it's such a cool thing. I've never seen something like that.
And so, so I think we, we need to look at how can we make this better and what I also see. And I think this is maybe also you come in from secur to some and probably some others. It is also about, I, I see even very large organizations, which they, in fact, so if you're not super highly regulated, we don't have a broken access governance at all.
Yeah, no, I agree. It's, it's interesting because exactly what you said, no one really wants to do like an access review and, you know, there's the people, the process and the technology piece seven and us as, you know, product vendors, you know, we're responsible for that technology piece. How do we make the services around it easier or make it where it's easier, but how do we make administering the tool and, you know, reducing the amount of clicks or describing things easier. So there's no underscore, you know, acronym underscore for a line manager to try to understand what that means.
Right. So I, I remember one of the very first advisory projects we were asked for was reviewing an I solution, which really stalled. And the first thing we learned were that the department department, mental managers were asked to verify SAP transaction numbers. Right. Were they all approved? Yeah. The project stalled. Yeah. Great. I think we have heard enough about other pitfalls from the past. So if you're moving on now in the future, could be AI, really a solution to make things better, to speed up the processes, where can it help?
So I dunno, but maybe you have some examples for it or, and does the IgE solutions example of a mid-market company deliver sufficient data for really data heavy machine learning? So if you look at these two technologies, maybe we can start at Austin. Sure. Yeah.
I don't, I mean, I think the purpose of it here today is gonna be, you know, how can we reduce the human element of it? You know, reducing some of the error around it, some of the redundancies so that we can, you know, remember things, if we're trying to track down people, who's, you know, maiden names, we're never changing announce stream application or something, but, you know, as far as you mentioned, like the fixing the changes, I think it's really good at right now at finding the outliers, finding the things that need to change, maybe reconciling when they have been changed.
But I think the market's expectation right now is probably a little ahead of what it exists, because unfortunately there's just still a lot of applications that are not gonna allow something to, you know, ride into it or make a change, you know, but what can we do around that as the market catches up to the expectations around it? So Do you agree or is it different?
I, I do agree, but I do want to add also, I think the answer, I can divide that to two parts. First of all, the method which we are doing certification are the tools, which support that.
So today, as we say, certification is done one by one identity by identity entitlement by entitlement. And that requires many efforts, many resources just to support that. So obviously advanced technologies, such as AI machine learning, all of that, they can identify the patterns which you have in order to make the process more efficient, how more efficient, first of all, by providing automation, which doesn't always require certification of one by one.
I mean, if you are going to automate the way, which you provision users, the way which you provide access, then you don't need to approve one by one. So this is the first part. The second part is to build that on top of policies, right? Instead of approving, you know, I'm going to say that, right? So instead of approving user, by user identity, by identity entitlement, by entitlement, think of certifying, approving policies, policies provide a much wider range of decision rather than just a single one. It includes so many in just one statement.
And that's another part of improving the way which you do a identity governance. I, I think it is a little bit about looking at Greenfield brownfield. Yeah. So to speak because we have to live with systems that think about, or that requires static entitlements, that, that are really traditional manage and IG approach. We have other solutions.
And, and I think I talked about in my keynote with a broader context, we need to do more things about with policy based automation. And I'm absolutely with gal, that policy based automation is something which helps, but we also will need to, to support sort of the, the legacy and this will easily go away. And this is what we need to make easier. And am L a AI ML can help whatever it is. Sometimes it's just a marketing badge and something simple statistics is behind it, but it's a different story.
But, but I think a point you brought up is, is very important. This is what I said, you know, you for, I believe what the main fundamental problem of role management is that we start at the wrong point. A role is an artifact that contains artificial. So you ask people to create something artificial, go out and ask the people. What is the access policy? These people in my department are allowed to do that. And from that, you can derive everything. You can derive the roles, you can derive the entitlements and you talk with people in a language. They understand it.
I think this is the fundamental challenge in, in role management. It took me 10 years or so or more to understand it.
So, so you will find old videos for me where I'm telling, Hey, create these rules and blah, blah, blah. Yeah. Yes. I was wrong. I was wrong. And I think this is, this is a point. And the good thing with policies is if you automate, you don't need to manually, re-certify the single entitlement by the policy, the policy, and then you can get easily rid of 90% or so of what you do, an entitlement management or access certification.
Yeah, no, I agree. It's, it's, it's funny. Cuz before I realized who I was talking to at the beginning of the commerce, I was thinking, oh wow, there's a great partnership opportunity here because it's the same idea of, you know, managing by the policy roles, attribute back, whatever you want to do, what I'm looking at the policy, for instance, I can say confidently, yes, this person likely has this access or this person should have this access or has been provisioned this access because they're part of this policy or that fit into the mold there.
But how confident are we that there's nothing else that they have, that's an outlier, right? Without having some kind of mechanism in place where we're a hundred percent sure that no one can get back to our access. And the only way that we'll actually know is if we go directly to the application and see the entitlement as well, but if we can combine it, we can see the outlying Without, without reconciliation, it will not work. Right.
So if you can bypass that, but if, if you have that and if you have, if you track so to speak, which title comes from policy, which is manually assigned, then, then you can really simplify a lot of things. And really that might be a partnership opportunity. Yes. Yeah. Well we can talk after, right? Absolutely. But I think this is a good point. Outliers would always be there. You can't assign all access. So entitlement just by policies. But if you have a large percentage of your access assigned by policies, then the, the outliers are manageable. You can approve them. You can certify them.
They don't take ages to approve, but rather a small portion. Yeah. Wonderful. So I think you should talk afterwards. So okay. If you now moving away from this fancy technologies, AI meshing, learning. If I am a company, what should I else consider if looking for a modern AGI and access government's solution. So maybe starting at gal. Okay. Yes.
So, so the objective is eventually to support the access of your users, right? You have a user base, they need access and it needs to be somehow governed, right? You need to know what's there and needs to be approved, but you want to do that in an efficient way. So you should be looking for solutions that provide that efficiency, visibility, automation, and policies that would control part of the access. It's not necessarily just a single type of solution, right?
Maybe it's a combination of, you know, your organization, you know, if there are patterns or are not, I'm familiar with the organizations that went full blown policy based and no single assignment, which is fine for them. Others cannot live by that way. You need to understand what's best fit for your organization and look for tools for that.
But again, those should be the parts you, you need to consider. Okay. Yeah.
I, I think listen to how your salesperson talks. It's interesting cuz I mean, it's, are you getting yourself into something that, you know, when we look at a feature standpoint or a structure of, is it configurable versus customizable, but you know, we had to find that balance of, you know, are we going to customize something to fit a process that you know was working? We probably wouldn't be looking as hard or are we going to try to, you know, fix a process that could possibly fit into a product with a little bit of configuration.
So I think listening to how they answer your questions will really tell you what the feature's gonna look like, you know, during, and post-implementation, I feel like a lot of people think about implementation a lot during the evaluation, but not after, because it seems the implementations take a long time. But yeah. So listening to how they talk about the solution and whether it's going to be helping you change something to make it for the better or fit something that you're doing into. If that makes sense. If I worded that, right.
I, I see too, when I look at what, how organizations can deal that, I think it's, it starts with where you are. So do you have something in place which works smooth.
Okay, then's fine. Do you have something in place which works not so smooth then it's clearly time to think are you need to, are you need to, you need to struggle and do you need to solve old stuff or do you need to, to, to do it for, for, for the future? I think these all are little different scenarios and, and, and probably the more you go to future and develop your digital services, the more you are in policies, the more you are legacy C it, the more you are in traditional entitlements.
And, and that means, okay, what is the right approach to it? Is it really adding something because you haven't, whatever. Maybe you have a lifecycle provisioning tool in place, unity access government and top 10 it's, it's probably a, a good way to go there because migrating to the next IGA solution is not so easy. Sometimes needs to be carefully considered at least in other areas.
As I've said, you might go more for the policies and what you always should do is, and this is my main recommendation here is really look at a process, define your processs and Catarina just before talked about the need for, for writing down your processes. And, and, and if you believe you can, can save any time by not writing down your process, very detailed. And this is not just trying or move lever.
These are 30, 40 50 processes you have around policies, policy creation, policy change, policy approval, etcetera, if you don't, if every, every minute use mean you can save, there will cost you hours and days and weeks later on. Yeah.
And I do, I do want to add another point. Traditionally, identity governance and administration has been part of, you know, it was an advantage of an identity and access management type of solution provisioning base call grain, grain authorization. That's not the case today. Okay.
I, I absolutely agree with what you said. You need to define your objectives in governance and the tool to support that is not just the traditional IGA. Maybe it's a broader scope, right? Maybe the traditional IGA would see your identities and would handle provisioning provisioning as it should do. But your identity landscape is much greater than just what the IGA can handle. Okay. And you need to consider that you need to see what are your objective, your digital landscape. What do you need to govern and start from them? Define the objectives.
Yeah, I think I agree with you. Great closing statement from gal, but not no, no, you, you also can add something to say, but I think we have to come to an end. So the last verse from your side, Austin.
No, I I'll just say I agree. Don't, you know, don't bowl the ocean all at once.
You, you know, do a little bit of a lot of things, focus on one thing at a time land and expand Nothing to add from my side. So that's from my side also. I think they all deserve a all come applause. So thank you gal.