KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Dr. Phillip Messerschmidt is an experienced practitioner with extensive background knowledge in all things IAM. He helps us to take a step back and look at IAM in daily life. Drawing on simple, understandable definitions, he provides practical recommendations for successful and efficient identity and access management.
Dr. Phillip Messerschmidt is an experienced practitioner with extensive background knowledge in all things IAM. He helps us to take a step back and look at IAM in daily life. Drawing on simple, understandable definitions, he provides practical recommendations for successful and efficient identity and access management.
Welcome to the KuppingerCole analyst chat. I'm your host. My name is Matthias Reinwarth. I'm lead advisor and senior analyst at KuppingerCole analysts. My guest today is Dr. Phillip Messerschmitt. He is senior analyst and advisor at KuppingerCole. He recently joined KuppingerCole at the beginning of this year, but he is an experienced, I am specialists. So we are happy to have him.
So, hi, Phillip. Good to have you. I'm a T S a thank you for inviting me today. I want to share my experience regarding it security awareness, and especially I am awareness, and I think there are a lot of people out there who are using IAM on a daily basis without being aware of IAM at all. And that's what I want to address today, giving them a little idea about IAM might help them.
And I think that it's really important because we as experts, we are always talking about, I am from a technological or from a process point of view, but to, to step into the shoes of the end user, I think it's really also an important part. So if we take a step back, let's start with this simple question then for the end user, for everybody who's interested, what is IAM And my opinion, this one definition that everybody commits on and that everybody knows about, and that fits every purpose doesn't exist.
Um, there are thousands of company specific and scientific definitions out there, which also the intention of the author and his, or her special case. So if I would try to broadly define am in one sentence, I would keep it very simple.
Um, my definition would be like, who owns, which excess, when and where and furthermore, um, when was this ecstasy used? And in contrast to my definition, I can also cite a definition by KuppingerCole, which I found at BIM masterclass.
Um, this definition says, I am miss about linking a digital identity to each actor within an it environment and signing excess rights to each of those identities and controlling with excess to what by blocking or allowing excess based on those excess rights. And you see this definition is much more complex. So from the usability point of view of such a definition is a more complex definition that better definition then, or where can you distinguish between the different types of definitions? What is important?
Well, in end, I think it's not about these definitions, um, that show whether you understand I am or not, it's all about your idea and your model, which you use to organize the topic for yourself. I will give you an example of my own perspective. I use the so-called for a model, which I found in my research a couple of years ago and came across again. When I joined KuppingerCole, um, the four A's are defined as administration authentication, authorization and audit and analytics, um, which I want to briefly explain in administration. It is all about the identity and its administration.
That means handling the joiner mover, leaver processes, um, providing a full stick of personal data and managing the identity data continuously. Um, the second is authentication, which describes the way an identity identifies itself and therefore proves to be the identity. It claims to be commonly. We use passwords to authenticate ourselves, but, uh, there's much more behind it like NSA or biometric authentication.
Uh, just naming two of them. The third a is authorization, um, Y authentication checks, if you are allowed to do something, authorization provides proper information on what you are allowed to do in detail. So I give you a real life example, authentication checks, whether you are allowed to enter the kitchen, um, Y authorization provides information on what you're capable of doing in it. So are you allowed to look into the fridge? Are you allowed to use the oven? Are you allowed to use knives for example, and this is the difference between authentication and authorization last but not least.
We have audit and analytics as a risk mitigation tool. I, uh, I am, has to provide controls and prevent fraudulent behavior.
Um, this is mainly what happens in audit and analytics. So, uh, overall, um, I think by using the four H models, the dimensions you are able to structure, I am very effectively and also understand I am related issues much better. Okay. I understand we are here today with the mission to translate all of this into the end user's language.
So, um, how do these models that you explained to for a model and I am identity and access management apply to normal people to the end users. How do normal people perceive IAM in their daily life? Ideally, yeah, in my experience, um, only very few people notice I am at all.
Um, but even with knowing it, everyone is using, I am on a daily basis. And the important point is they take, I am for granted, which is reasonable since a working, AM's almost an invisible infrastructure. On the other hand, if I am, is not working properly, um, you will quickly receive feedback, which obviously will be mainly negative. Right? This is something that I can tell from experience is absolutely true. So if we narrow down the end user a bit, um, how is that the fact in the business context, how do employees, how does the workforce of an organization perceive I am at work?
Yeah, for example, um, for employees, the perception is a bit more sharpened, uh, at least on the enterprise side passwords screen blocking, um, as measures of IMR accepted. But despite this employers are not more concerned about it, security than necessary.
Um, for example, take passwords in general, they are accepted, um, but secure passwords, which are longer and often more complex are somewhat unwanted. Therefore people simply won't choose a secure password on their own.
Um, at least not without technical pressure by a minimum requirements and just the same forum, MFA authentication. Then the case of having too many excess rights or vice versa, having not enough excess rights, um, people are lazy when it comes to security. And at certain point, I think that is justified.
Uh, I am as an infrastructure topic that should simply work without having to spend a lot of effort. I mean, think about the distribution of end user it hardware.
Um, everyone needs a computer, but if it doesn't work, people will immediately complain because they can't work today. High hardware is a basic work to deliver it more or less automatically. So enterprises need to understand that.
And for, I am, they should keep in mind that in the future, I am, will no longer be a competitive advantage, but a basis for business and companies without I are not fit for business. Similar is true for people, whether it is on a business level or on a personal level, Right? So the overall headline for today's topic is, um, I am awareness and translating that to the end user and the employee. So to raise this awareness, to make people understand that I am is an important part. What do you recommend? What are the analysts? We talk of the top five things.
So what are the top five topics that would be good to know to everybody? Um, the first one is, uh, digitization is unstoppable and I am as mandatory in the digital world. That means when everything becomes digital, you won't have another choice.
And again, there's a place on a business as well as on a personal level. My second recommendation, um, every person comes in contact with am multiple times every day. And I would even say probably every hour.
Um, my advice, you, you can improve your own security level significantly with only little effort. If you just keep your eyes open. The third point is I am as timeless, so it has always existed and will always exist. So it doesn't matter whether it is the gatekeeper 500 years ago or will be a digital log in 200 years in the future. People need to realize that, and I am not a one hit wonder or a one time investment fourth point, um, in the near future, most services will be offered digitally.
So especially governmental services or the identity card, or for example, it's me, um, which is a Belgium company providing a trusted identity network, um, DSR examples for, for those services. And the last topic is, um, I am accompanies every single it trend or topic and always solve security challenges around those trends.
Um, just to name some, there is, uh, there are bringing your own device, there's home office, cloud IOT, customer relationship management systems, um, solved by a customer identity and access management systems. There's data protection or blockchain or those, uh, examples for it trends.
Um, I am the supporting Right you've mentioned security challenges, and we, as KuppingerCole as analysts, we deeply believe that I am is a part of cyber security within an organization when we're talking about awareness and I am today, of course, we need to understand, and we need to make people understand that, um, improving the awareness might also improve the overall it security posture. So what can you improve for your own it security when raising this awareness?
Uh, I think everybody who is familiar with it, security already knows that humans are the weakest factor in most of the it defense systems. And therefore it is only a logical step to improve this weakness. This means taking a critical look at yourself.
Um, so the first question would be, um, what are possible attacks and areas I am vulnerable to. Um, and the second, um, how can I improve my own understanding of cybersecurity? And if you don't have an idea how to answer those questions, take some small steps and start with addressing a well-known issue, um, security versus usability. So for example, you could ask yourself, do I want anything to be more secure or do I want smaller effort, um, or maybe a better user experience?
Um, some other easy questions you are facing on a daily basis could sound like, do I want to store all my personal data in my account? Or should it ask me for permission every time an information is required? What permission requires an app on my mobile phone? Is it allowed to do anything? So it won't be bothered by pop ups with permission requests or do I want to limit my apps?
Um, let's call it abilities at some point. Um, another classic question. Do I have to lock in every single time or can I stay locked in? Do I need multifactor authentication every single time? And also a classic one is, should my password or pin have more digits or be more complex?
Um, what makes it more secure or should it better be easy to remember? And, um, yeah, the last advice I want to share, you have to ask yourself what is the value of my data.
Um, that means what is more important to you and also how important isn't information for a possible attacker. What are your risks in losing those data? Because most of the times, um, uh, tech are, are only interested in data or information, which are easy to access, highly valuable and can be turned into money very quickly. So the more criteria the target data meets, the more attractive this information is to an attacker.
And yeah, this is what I wanted to share with the audience. Um, I hope I was able to give a little insight and improve your it security awareness at least a little bit.
Um, so yeah. Thank you. Yeah. Great to have you Phillip, and I think this is really important and if the audience is interested in learning more interested in raising this awareness within their end-user community, I would highly recommend that the audience might have a look at our website.
Of course, KuppingerCole dot com. There is lots of material, lots of research there when it comes to, um, raising awareness. There are some videos that can be used also in communication with the end users. And if you have, um, tangible questions to ask, please get in touch with Phillip or me, or just with info at KuppingerCole dot com get in touch. So for now, thank you very much.
Uh, Phillip for being my guest today for the very first time, what was great to have in my pleasure. And I'm looking forward to doing further episodes with you very soon. Thanks again. And bye bye. Yeah.
Thank you.
