Welcome everyone to our today's KuppingerCole Analysts webinar, Identity Fabric and Reference Architecture 2025, Future-Proofing your Identity and Access Management. The speakers today are Dr. Phillip Messerschmidt, who is Lead Advisor at KuppingerCole Analysts, and me, Martin Kuppinger, I'm Principal Analyst at KuppingerCole Analysts. And what we want to do today is to give you some insights into the updated versions of the Identity Fabric and the IAM Reference Architecture.
We will, or have just published a report, an advisory note also on that, which provides way more detail than we can deliver within a one-hour webinar. But that basically is what we will do today. Next slide. So a little housekeeping, not much to do, so you're muted centrally. We will run two polls during the webinar, and if time allows, and if you're active enough in responding to the polls, we will pick up the poll results during the Q&A. There will be a Q&A at the end of the webinar, so don't hesitate to enter any questions once they come to your mind.
The more questions we have for the Q&A, the better it is. And we are recording the webinar, and we will provide the recording as well as the slide deck soon after the webinar. So without further ado, the first poll. And you have this area of polls on the lower right edge of your browser window. There you will find a poll. And there might be more reasons, I fully admit, but if you look at these four reasons, what is, to your perspective, the main reason for IAM projects stalling or failing? So are it budget limitations? Is it insufficient stakeholder management?
So not having the people on board, maybe wrong expectation setting, all that stuff around that. The lack of understanding of risk and regulation, so why do we IAM, and what do we need to do properly? Or is it the lack of skilled resources? As I've said, there might be more reasons, but out of these four, what do you feel is the most relevant one? We will leave the poll open for a while, so you can, at any time, switch over to the poll and directly we'll have a look at the agenda now. So the agenda for today is split into three parts.
I will talk a bit about the concept of the identity fabric, why we brought up this concept a couple of years ago, and the reference architecture and where this comes from, and some more generic aspects in them. In the second part, Philip will look at the new versions of the identity fabric and the reference architecture before we move to the Q&A session.
So when we started with the identity fabric, and this was the, I think, the first, no, maybe the second released graphic, I have to admit the first one was a bit even simpler than that one, but this is something we created, I would say, six, seven years ago already, and it is nothing that sort of comes out of the ivory tower of analysts. So the identity fabric really is a result of bringing together a lot of experience from practice, at the end, best practice, with the analyst's thoughts and the analyst's perspectives, and trying to put all this together into a framework.
So basically, the identity fabric, and this has proven to be something which works really well in advisory projects and practice, has proven to be a model that helps organizations to structure their IAM journey, to come up with a blueprint, to define what they want to do, how they want to do it, how different pieces map together, to reduce the redundancies, to fill the gaps in identity management. And so what we basically did was, at the beginning, looking at a simple question, and the question was, what, at the end of the day, is the job of identity management?
And identity management basically needs to provide seamless access to everyone and everything, and this is the left-hand side, to every type of service. So what identity management needs to do is seamless, secure, well-governed access to everyone and everything, to every service. And then the question is, what does it need for that? What it needs is, it needs certain capabilities to manage the identities, the entitlements, to provide access, to keep the risk under control, and a lot of other things around that.
And capabilities, these can be grouped into services, and finally, are provided by certain types of tools, which is a very important aspect in the thinking. It's not about saying, okay, we have a problem, we throw a tool on it. It's about thinking, which capabilities will we need to serve the purpose of IAM? So we start with the capabilities, look at the services, end up with the tools that way. And then we have a situation where most organizations don't start in a green field, one thing, for IAM.
Second, most organizations have a rather complex IT infrastructure, larger and more complex in tendency, with a lot of different elements. So we have frequently legacy IAM, we have multiple components, and an identity fabric is really built to also allow a seamless transition of legacy. So your old IGA might still serve for a while as something that connects to some of the legacy applications, like mainframes, or other applications you may at some point, mainframe maybe not, may retire at some point.
So it is connecting to the traditional world as well, and maybe with an intermediary as a legacy IAM, as well as to the modern world and quotas, like using standards, connectors, etc. to go to SaaS service and digital services. One of the really important points is, are these two arrows in the upper part of the graphic. So one is going up from the IAM to SaaS to digital service, one is going down from digital service on the upper left, digital service to the identity API layer. This is a very important element we've had in the identity fabric, essentially from the beginning.
So identity management in many cases still is primarily managing services and applications, identities and access. So it's sort of speak from an identity perspective, an inside-out approach, but an identity fabric also should focus on the outside-in, delivering identity services to whatever they are needed, to the digital services we are building. And this is another element we have from this identity fabric. So this is at a very high level what we did there. And quite early, so also the question arised, what is this fabric about?
In English language, there are different meanings of the term fabric. And this is something we believe the identity fabric serves both of these meanings, Philip, maybe the next slide, which is basically the identity fabric in that sense is a mesh. It connects different pieces. Philip will probably touch later on the orchestration aspect. Identity orchestration is a very important element. It's not about saying just necessarily one single tool. It might be a range of different tools, older tools, newer tools you bring together in a mesh.
So orchestration is a very essential capability, but it's also about production. It's producing identity services for the organization. So it's both. And what is very important, it's not just a set of Lego bricks where you say, okay, I have this tool, this tool, this tool, this tool. It's really about the integration you then create based on this identity fabric paradigm. It's about connecting them into something larger, potentially complex, but also very flexible because the orchestration should be lean.
It should be flexible and allow you to connect different pieces and also to disconnect them again, like you can do with a Lego piece. Honestly, probably if you built that, you will be shy of deconstructing it. Identity fabric should be easier and you should be more willing to deconstruct certain parts because it's not a fixed layout at the end. I think this is the difference to what you have here. So you can build everything with Lego. We are flexible. We can change it, but we build one thing and leave it forever. So the fabric gives you the flexibility you need.
Based on that fabric, then, and the next slide, we also created a reference architecture, which is basically starting with a higher level perspective and there are also drill downs, and there will be more around the fillable touches in a minute. We looked at the building blocks.
Oh, good question, by the way. I'm here coming in. We will touch this in a minute, one of these questions.
Anyway, we looked at the different building blocks to form IAM. There are basically two or three dimensions where you'd like to integrate. First of all, there are, so for the ones who are around very long in identity management, there are four A's. When I started at identity management, there only were three A's because we had administration, authentication, and authorization. We didn't have analytics or audit or all the governance aspects back then.
That was the first pillar which was introduced sometimes in the late 2000s, 2008 or so, when the Sovereign Occupy Act was put into what was enforced by the Sovereign Occupy Act. Then we added way more analytics and risk perspectives here, but it's about administering. This is the deploy time, we called it back then part. Analytics risk sometimes happens early. We check the SOD violations at deploy time. We have to run time aspects about what is happening. We have some post-event time, something we've added, the new version. Then we have authentication and we have authorization.
That's the four pillars. We then define what is core of identity and access management and what is more extended capabilities, what are integrations. This is something which is really living. When you follow the market, you see that there are a ton of new startups arriving every year.
Really, every month we see new startups and we see also quite frequently new categories of tools. Identity threat detection response is something which came in relatively recently. Non-human identity management and its different facets sometimes also referred to as machine identity management is relatively new. This is nothing static and it's also a reason why we regularly revisit the identity fabric in a joint effort of advisors from the field of analysts from the Ivory Tower together to move to the next level here. I think this is what we do.
With that, basically, I'll hand over then right now to Philipp, who will do the next part of this presentation. Philipp, your turn.
Thank you, Martin. I have the pleasure to present the second chapter.
Update, what have we done with the identity fabric? What was our plan to update the identity fabric and the reference architecture?
We have, first of all, updated the master level. What Martin just presented, he mentioned that this is already four, five, six years old. We have updated these versions and we call them level one master versions. There is a master identity fabric and a high level reference architecture to present what Martin just explained. Besides that, we plan to have level two fabrics and reference architectures.
That means that these fabric and reference architecture models are also specified with a certain focus to certain areas, to certain business models, to certain industry, to certain sectors to reflect the requirements that you have in these areas. For example, we could have an identity fabric for critical utilities where we add regulatory requirements that other areas don't have, or we could do an identity fabric for cloud native startups that have and face different challenges than, for example, the big regulated banks. The same thing is happening for the reference architectures.
What we have on the high level is a good overview over the different building blocks and capabilities, but we could also go for specific reference architecture designs that are focusing consumer identity and access management, that focus B2B access management, that focus PAM and so on. There's an unlimited amount of reference architectures that we could come up with. This is the plan for the future right now. What we present today is the level one, the high level version, the master that we show right now. As you can see, the general approach did not change.
The identity fabric 2025 has not changed in its idea, but we specified it much more. As you can see on the left side, we have changed the kinds of identities. We differentiate right now into human identities and non-human identities, as this is one of the major changes that we have seen as important for the identity fabric 2025, but the general approach stays the same.
The story for the identity fabric, to say on the left side we have the identity types, on the right side we have the access objects, and in between we have everything that we require or that we need to establish that access is still the same story. Since the framework is that flexible, and Martin highlighted that, that we can exchange individual parts, this is basically what we have done.
We have updated the capabilities, we have updated the services, we have updated the tools that you can see here, and we added on the right side the OT area, but besides that, the identity fabric remains stable simply because it's a flexible and good framework. What else have we done? We have removed the timing aspect from the reference architecture and thought about how to update that. Our idea now, and this is also what is reflected in the research area that we can see regarding IAM, is that we split up the timing aspect into admin time, into a real-time aspect, into a post-time event.
In the former, in the previous version, we already had the deploy time or the admin time aspect and the runtime or real-time aspect. Now we think about four different perspectives. The first one is the admin time that did not really change from the understanding of the deploy time. Admin time is basically everything that you do before you access something, so in advance of the access itself. Then we have real-time or runtime. This is still from the idea the same as before, but we split that into two different sections.
The first one is the session initialization and the second one is the session management. Why do we split that? We think there are a lot of actions and capabilities that are required for the session initialization. When you come up with a session, you need to do authentication on different levels. You need to do authorization, maybe also at runtime. You need to get certain information in place to ensure a good access. Something that we see much more often right now is the session management.
It's not done with initializing the session, making sure that all parameters are in place when you initialize the session, but you need to ensure that the session itself is continuously monitored. This is what we want to reflect with this distinction in the real-time aspect into session management and session initialization.
The session management part is really about monitoring the session, keeping the context attributes monitored, and if something changes with these attributes, with these context data that is continuously monitored, you can terminate the session or at least ask for adaptive aspects or adaptive authentication, authorization or authentication. It depends a little bit on the attributes that change. The last one on this page is the post-event time. This is something that is pretty new.
The idea, however, is not very new. The idea to have KPIs in place, KRIs in place to have controls that happen after you access something like reporting, like controls really after the access. This is an approach that is well-known but has never been named specifically like we do here with post-event time. The interesting thing is you can basically take each and every capability, each and every function, and put it into these timely phases. This is pretty much the idea of this timing aspect.
This means that we have removed the deploy and runtime aspect from the Copenhagen Core Reference Architecture 2025. That also means that these four differentiations can be applied to each and every capability but not on the high level anymore like we did before.
Instead, you can do that for each and every capability, even for each and every operational function that you have. What you can see here on the slide is the updated version. As you can see, it's bigger than before. Instead of having three rows and four columns, we have more rows. We stick to the same structure or the same idea here as well. We still have the four A's, administration, authentication, authorization, and analytics and risk, but we add more rows.
Meaning, we still have the core extended and integrations part, but we added privileged API and foundation. We also added quite some capabilities. Just to show it, I have marked the capabilities that are new, that remained, and that were updated. We can see quite some movement. What happened? We have taken the old, the previous version, and have checked what would be stable, what would remain, what is still up to date. This is everything that is marked green.
Then, we thought about what requires an update, a clarification, a better scoping, maybe a different wording. These are the updated areas, in yellow here. The red stuff, these are the newer capabilities and building blocks that we have observed at the market, either from the research side, the ivory tower, as Martin mentioned, or the practitioner side, the advisory or consulting area. As you can see from the color coding, every area has been changed at least a little bit, except some minor areas. When we think about the core area, we have changes in pretty much every area.
When you see the administration and core, there are a lot of red and yellow boxes. We have clarified a lot around, especially the context data and the identity data area, just to be prepared for changes in the more dynamic fields of identity and access management. We have added capabilities like context data source management to reflect that, but also we like the workflow management to make sure that the requirements that we see at our customers and at the market regarding the flexibility of processes is reflected here as well. When we follow the core role, next would be analytics and risk.
There are three green capabilities and one red capability. We didn't change the green ones. We added the red one with identity threat detection and response. We have added quite a big capability that becomes more and more important. We can also see that in the integrations area where we have XDR, which is extended detection and response. This is an important capability that we observe much more in the market. Authentication authorization in the core role also changed.
We have clarified a lot of the capabilities, which results in a lot of green capabilities that remain pretty stable, a lot of yellow capabilities that were clarified and updated, and some red capabilities that were not reflected in the former version, but that are not reflected based on the clarification. With a new version, we introduced the capabilities itself, but the idea was also part of the previous version. Same for authorization. There we have also clarified a lot of capabilities, so the red ones reflect the new and clarified building blocks.
One role that is completely new is the privileged role. In the past, we have signaled the privileged capabilities with the color coding.
Now, we have a dedicated, a focused role for privileged access management. However, these are not all of the privileged capabilities. As you remember, this is just the high level reference architecture. In the level two version of the reference architecture, or at least we plan to have this level two version also for privileged, where are much more detailed capabilities. For the extended role, we have not changed much. You can see the green area. That means that this has also been in the previous version. In the integrations area, we find a lot of new capabilities.
This is an area that we have updated a lot with the upcoming trends, especially around zero trust, around dynamic authorization. We find a lot of new areas that we need to take into account. This is reflected in the integrations area as well. You can find privacy and data protection. You can find license management there, contract management, mobile device management, everything that supports the idea of the new data points that we need for automation, especially with respect to zero trust. Two new roles on the bottom of the slide are API and foundation.
We added the API layer just to show how important the topic of connectivity is. APIs and identity orchestration, especially, will be very important when we follow the idea that Martin mentioned earlier, meaning that we need to connect different kinds of tools to provide all of these capabilities. To remain flexible, we will require these APIs and this orchestration idea to ensure that we can exchange parts of the identity landscape and not exchange the whole landscape at a time.
So, the Lego bricks idea that Martin mentioned earlier. The foundation layer, we have added the foundation layer and the capabilities in there to reflect functions, capabilities, building blocks that we were not able to locate above in the core area, extended area, and integrations due to the fact that these usually reflect multiple of the functions above.
So, for example, application onboarding uses many of the capabilities above to ensure that an application is properly onboarded. Others like the data model or performance management or health management, they support IAM, but they are not directly part of the reference architecture when it comes to IAM. But anyways, IAM cannot exist or an IAM architecture cannot exist without, for example, performance management, without a data model.
So, these are really the foundation, the basics that you require to build such a landscape. This is the new reference architecture 2025 and the idea behind that with all of the changes.
So, in total, we have 21 new capabilities. We have 11 updated capabilities, and that means we have more than 50 percent of the previous version changed. What else have we done? Some of you might know that already, but we have added for each and every capability a detailed view. This detailed view consists of a one-sentence definition, and we can see that here for the identity lifecycle management. The one-sentence definition, a detailed description that is longer, usually much longer than the one-sentence definition.
We have the key aspects and key functionalities that describe the capability and ensure that you understand what is important for this capability, and we have examples and sometimes use cases. On the top of the slide, you can see the category of that capability.
So, this capability belongs to the core area. It's part of the administration column, and it is considered an admin time capability.
So, this is where you can find the timing aspect that I've mentioned earlier. So, another example for entitlement management here, you can see that the one-sentence definition is really shorter than the detailed description, but here you can also see that the key aspects and key functionalities try to add and explain in very short bullets what this topic is about.
So, for entitlement management, roles are important, entitlements are important, policy lifecycle management is important. Yeah, this is the idea of the more detailed slides. In the end, this enables us from a very strategic perspective to go into operational challenges with these two frameworks and the detailed slides.
So, we basically start with the identity fabric telling you which identity is accessing what object and how is that being done. We dive deeper into the reference architecture, and ultimately, we can go into each and every of the capabilities and find these details to discuss even processes or very detailed concepts like here for entitlement management. We could discuss how role and group management is being done or how policy management is being defined. And this brings me directly to the benefits of the identity fabric and the reference architecture.
So, we consider it as a holistic and structured approach to IAM. As mentioned, we have seen that the approach that Martin described is very stable.
So, the idea did not change. It is flexible enough in itself to adopt to changes and to be updated without losing the overall idea. Second is that we are able to speak the language of our audience or of your audience if you use the approach.
So, it doesn't matter if you talk to C-levels or if you talk to subject experts. It highly depends on which perspective you take. You can stick to the more strategic level of the identity fabric and reference architecture, or you could deep dive with the subject matter experts into the detailed slides and even further into processes, into concepts, into technical configurations. The reference architecture and the identity fabrics offer both of that.
So, you can completely adapt to the language that your audience speaks. Third point, third benefit here, you can discuss strategic opportunities, but you can also dive into the operational challenges.
So, I mentioned that already. It doesn't matter if you talk about this identity type accessing this kind of applications or if you want to deep dive a certain process like, for example, the join or move a lever. Both frameworks offer you the opportunity to navigate to this detail level in the end. One more benefit is that both frameworks are able to cover trends and still stick to the basics and fundamentals.
So, you might have seen in the reference architecture, we have the trends in there like dynamic authorization topics, like identity proofing, like verifiable credentials, decentralized administration. So, it is able to cover the trends while at the same time, it is also able to cover the basics and fundamentals.
So, we can still talk about the identity lifecycle management. We can still talk about entitlement management. We can still talk about access governance.
So, both perspectives are reflected. Then, point number five here on the slide, it enables us to define short-term and long-term strategies and initiatives.
So, it doesn't really matter what you are trying to do. If you are planning for one year for a short-term measure or initiative or if you want to set up an IAM strategy, you can use the frameworks really to take the identity fabric reference architecture to define it for 10 years, for five years, for three years, even for two months. That depends on how you use it and how much into the operational details you go. Both frameworks enable you to do whatever you want with them.
You can go for a long-term strategy and saying, I want this identity type to be connected to this access object, but you can also say, I want to redesign my join and move-a-lever processes and this is done within the next three months. So, the flexibility for these two actions are given. Last but not least, a very important benefit here is that both frameworks have the flexibility to adapt to your organization's unique challenges and requirements.
So, we are not limited to a certain area, not limited to an industry, not limited to a single company or it's not limited company or it's not based on experience that Martin made in his past. It's bringing all of that together.
So, different areas, different organizations, different experience. As Martin mentioned, it's from the ivory tower, it's from the practitioners, it's from our customers. Everyone can use it and therefore, everyone can basically adapt his own version of these frameworks and make it better for the own organization and reflect the unique challenges that you have. And with that, we get to the second poll. What are the primary factors impacting your organization's IAM budget?
Regulatory compliance requirements, the organizational growth, security threat and technologies or operational efficiency and cost reduction targets? Like the last time, we will keep the poll open and with that, we move to the Q&A part. Okay.
Philip, thank you very much. I think this was very informative and I see that we have a number of questions. By the way, there are some upvotes capability or option for the questions.
So, if you go to the questions area after doing the poll, you always can decide to upvote a question so that we then can focus and we can audit by upvotes, Philip, that we can focus on the most relevant or the preferred question. So, the one I'd like to start with, we have some 20 minutes left. We'll probably not be able to cover all questions in detail, but Philip and I will work on some follow-up like blog post or any other form where we can go a bit more into detail on questions that are relevant.
So, one of these questions was, can you give an overview of what to tell the C-level on IAM? Yes. Would probably require bringing up some additional slides, but let's do it at a high level and maybe this is a very good topic also for a follow-up because at the end of the day, it depends a bit. Not the best answer, as I know, but I'll go into more detail.
So, is there a concrete trigger from your management? So, are they scared from a security from a governance and risk and audit perspective or not?
So, if there's a concrete trigger, it's easier than it's really going into the details why IAM helps you in doing certain things. Otherwise, I tend to look at more digital services and impact of identities.
So, if you want to succeed as an organization on the digital business, you need a strong IAM posture. You need to be very strong when it comes to digital identities because our entire digital business relies on the digital identity. It starts with it. Your contact with a customer in the digital world starts with the customer in some way connecting with you, coming in with an ID. It's everything starting there and this is why I believe that this is a very good starting point for a C-level conversation.
And then after that sort of bringing in the other aspects, which is you need identity management for regulatory compliance, which is unfortunately more the negative driver side for cyber security. Yes, there's also administrative efficiency, but my experience is that trust and IT telling, oh, we will become more efficient is relatively low at the C-level.
So, better focus on the other aspects. This is, I would say, at a high level what I would bring in here. And then tools like the reference architecture fabric help you to bring this to life. This is maybe something I want to re-emphasize of what Philip said.
So, we have methodologies that help you to identify where are your gaps, what should be your main priority or your biggest priorities for identity management? How do you structure your IAM program? We have the ability to walk through these steps and to come up with very concrete perspectives on what to do next within your identity and access management.
So, I also like you to pick the second question, maybe, Philip, if you want to add something to the next question, I feel absolutely free to do so. But this is one of my favorite themes, so to speak, which is identity orchestration.
So, identity orchestration was in the fabric visible at the bottom level because it's a foundational capability. You need an identity orchestration capability to combine the different bits and pieces you have in identity management, be it identity providers, be it different types of identity management tools. Orchestration is basically the clue that helps you to put these different elements together.
And so, this is also, for instance, I'm currently working on our upcoming updated version of the Leadership Compass on Identity Fabrics, which we intend to publish around the time of the European Identity Conference, so early May. Don't miss the EIC, by the way, early May in Berlin, the number one conference on identity in Europe and surely one of the best ones globally. Don't miss it. But anyway, there I put way more emphasis this time on identity orchestration as a capability because this is something we, I believe, we need much more than ever before.
Philip, anything to add here? No, not too much, to be honest. When I see that from a practitioner's perspective, and that adds also a little bit to the last question, the structure is important.
So, identity orchestration fits perfectly in there because you have a very good structure with both of the frameworks and you can see where you have gaps, where you are strong. That helps to communicate not just with the C-level, but also helps to understand your identity landscape and with that, how identity orchestration can support your organization.
So, this would be how I would answer this question. Hope that helps. Wonderful.
Philip, do you want to pick one of the next questions on the list? So, then this is already answered. Then let's pick this one and read it. The data model API layer and orchestration are key to realize a fabric as almost every organization will have a unique combination of different technology components from different technology vendors.
So, yeah. It's probably more a comment than a question.
Yeah, I was just saying that, but this also shows how important it is to have a flexible framework because the fabric and the reference architecture are able to reflect that so that we are able to connect the different pieces in the landscape together into a single concept that is very structured and that can show the strength of your landscape and show also the weaknesses on the other hand and where you need to improve or exchange certain tools, certain parts in your landscape. Okay. I think something we also could discuss further for hours.
So, just picking this. Yes, I think spending time on data model API layer, they are essential because it's really about integrating different bits and pieces. One of the other questions I like to look at is, are the new areas primarily driven by startups or by regulatory requirements or others? I think what is new usually comes in because there's some gap in what we have in the sort of overall IM tools landscape.
So, then we see new things emerging. Some of these might become big. Some of these may converge. Some may change.
So, we will see surely some of these new technologies conversion into other areas. And we're also always a bit conscious about what do we add, what not.
So, for instance, there's another question around identity security posture management. I don't think that ISPM is really, at least as of now, a separate discipline. It's probably more a combination of different things we do within identity and access management and probably more marketing term than really something which deserves a separate box. And we also may see others converging. And it's also what happened in the past, converging into other areas.
So, it will be a constant evolution. So, we're looking at a market. As analysts, we look permanently at what is happening in the market, what is going on in startups. We just recently launched a new format we call rising stars, where we look at vendors we find specific interest regarding the innovativeness in the product market. Very diverse, by the way, to look at these types of reports. And on the other hand, we also have a lot of insight from our advisory team, which works with customers and understands what they are lacking in practice.
We have a CISO council where the CISOs provide us feedback, many CISOs from large organizations. So, it's really a combination of different sources we are using here. Okay. Then I pick one.
Next one, you. Is there a downloadable version of your reference architecture and fabric material? And what is the pricing? I'm not sure about the pricing, but I'm sure we can deliver that. As you can see on the slide here, the first entry is the just published new version. We have published it today.
So, you can basically use the link or go to our website and download it from there, if you have access to the research material. Okay.
So, maybe let's have, in the meantime, have a look at a poll. So, you can look at the poll results yourself. This webinar tool is a bit new to us, so I don't know exactly whether we can show it on the big screen. But if you go to polls and then to this symbol for an I on the right side of the polls, then you see the results.
And when you look at the first poll, which was about reason for IAM projects stalling or failing, then stakeholder management is clearly ahead of the lack of skilled resources, which also is almost 30 percent, while risk and budget are a lesser challenge, which, by the way, also correlates to other polls, similar polls we did in the past, where the budget commonly is not the biggest issue. The issue really comes from other areas, such as being too tool-heavy, stakeholder management, and lack of proper project planning, stuff like that.
For the other poll, when we look at the budget, so the cost reduction targets take a big role nowadays. I think it's very clear in times of economic turmoil, followed by regulatory compliance, then security threats and technologies, and very little organizational growth. So you can also, in parallel, always look at these results whenever you like it. Real-world examples, we can't name the customers. So there's one other question, which is about client-specific assumpts, where did Fabric resolve their real-world problems?
What we basically did in many cases, and Philipp is leading many of these projects, is using this to help customers understanding, to setting their priorities, to setting their roadmaps, to identifying their gaps, based on this paradigm, and to bring together different initiatives. So to move from a project to a program, to a journey approach, and this is something we did with quite a couple of very large organizations over here in Europe, for instance, where we used this paradigm really to work through and to guide organizations on their journey.
And Philipp, maybe you want to add something here? Yeah, I think the best example that we can share is our workshop that we had, I think it was 2023, or was it, it was 2023 when we had this workshop, and we will have a new version of the workshop, and this is this year on EIC, where we will again talk about how to operationalize the identity fabric and reference architecture. So when we talk about these real-world problems, you can actually do a lot with these two frameworks, especially, as I said, from the strategic perspective.
So when you think about what is my status quo, what is my maturity, so you can have a maturity assessment based on these frameworks, you can think about the future state, so where do I want to go, what will be the future topics that are interesting for me and my organization, and where do I maybe lack experience or awareness or whatever.
You can combine both of that, so the maturity and the status quo with the future state to derive a gap analysis, so you can see where you are currently weak and where the gap is big, so where you need to do some stuff, that means, or results more or less automatically into a roadmap when you add actionable items to these gaps and so on.
And if you want to dive deeper into the operational stuff, as said, you can go onto the detailed level of each and every capability, you can dive into processes, you can check in the details what are the processes about and can talk about how they correlate maybe to other capabilities.
So, for example, entitlement management itself is an interesting field, of course, but it is more interesting when you add access governance to it and how the access request, for example, works, how does that correlate with your authorization model, how do reconciliation works in your applications, how do you do recertification and so on.
And with the reference architecture, you can combine all of that, so these pieces might be in different capabilities, but you can easily jump back and forth, combine them, understand them, rate your maturity for these capabilities and then come up with a recommendation or solution.
Yeah, and I think what really is the value, so there are a lot of layers below the fabric, there are a lot of methodologies, also our advisory team is using a lot of experience in building process models for identity management and everything you need around it, in structured and standardized maturity assessments for identity management, where we have a great experience and also for cybersecurity, by the way.
So, we can do a lot of things below that level, but I think the big value is in maybe a bit of a boldly phrased form that helps you to get from chaos to structure in your identity management program. So, to really have something which helps you structuring, prioritizing, assessing where you are, et cetera, in a defined framework, and then also helping you to better communicate that IAM is not a couple of tools that are rather independent, it's really something which needs to be brought together where the orchestration, where this integration is essential.
So, I think we are almost at the end of the time, maybe we can pick one more question. Oh, I have one.
Okay, then we keep it a bit short and then we follow up with the other questions. It is a short question, does the framework include alignment with zero trust? Not a short answer, probably. The short answer is yes, we also have a zero trust model that reflects the current approaches of NIST and the Department of Defense. We have adopted that and we map that to identity and access management.
So, the identity fabric and the reference architecture are both designed to support zero trust. It's not explicitly shown on these versions, but we have a zero trust model that shows the link to the reference architecture.
So, the short answer is yes, if you are interested in that, you can write us an email and we can explain that any further. You can also go to our website and look for the zero trust publications. I think Alejandro posted some research on exactly that model.
Thank you, Philipp. I think that is a good answer. We will follow up on questions we weren't able to answer and maybe also with some more depths and detail on some of the other questions. It will take us a couple of days. If you don't have a membership subscription as coupon code analysts yet, don't miss to get one. I think our content is definitely worth that and also our events and all the other options. And if there's anything you need to do in your practice, be it a vendor or an end-user organization, we are here to advise you.
So, thank you very much for listening in, for the large number of attendees. It was a pleasure. And thank you, Philipp, for all the work you and the team invested into updating the Identity Fabric and the reference architecture.
Thank you, Martin, and thank you for your support.
