Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth I'm an advisor and analyst with KuppingerCole Analysts. This is the first episode for 2024. And we want to start with a topic that is within our core areas, which is identity and access management. Therefore, I have invited our principal analyst and one of the founders of KuppingerCole, Martin Kuppinger. Hi Martin, good to see you.
Welcome, Matthias. Pleasure to be here again. Looks like I have done the final episode of 2023, and I will do the first of 2024.
Exactly. And already we are doing the first steps towards the European Identity and Cloud Conference in Berlin, this time in June, which is of course our IAM flagship event, much more included, but IAM. So we want to talk about IAM today. And the topic for today, the headline that we took as the starting point for today, is IAM, Orchestration, convergence, or both? and maybe as a start, could you describe these two concepts and why they are antagonists in this area?
Yeah, so if we would oversimplify, it could be a bit of about suite versus best of breed. So suite being the convergence, best of breed, that's where it starts to bump. So best of breed rarely has been about integration, about good integration, but we see a lot of orchestration coming up. So we see way more capabilities of really orchestration, bringing together different pieces. And so, in that sense, it is about, is the right way for moving forward is IAM. So, the different pieces of IAM, like IGA access management, privileged access management, consumer identity access management, all that stuff, is it more an orchestration thing, or is it a convergence where more and more capabilities flow into a single platform? And so there has been quite some discussion about this in the past year, I'd say, or past one and a half years in the industry. And there are different opinions. I believe I have my own opinion here as well, backed by some three decades of experience and IAM.
Yeah, but when I look at it from a practitioner's perspective, I said I'm an analyst and advisor, with the stress is on advisor. I see different levels of maturity with an organization, surprisingly. So there are companies that are doing identity and access management for 20 years now. And there are those who just have realized that they need that and that they need to embark on that journey. For them, a single vendor, a single solution providing most of what they need might be good and... tempting first starting point, don't you agree?
Yeah, I think what you're talking about is Greenfield versus Brownfield, so to speak. So if you have a Greenfield approach, this is tempting. If you have a lot of existing IAM pieces, it's a bit different. It's also a matter of the complexity of use cases. And so are you... more large organization, maybe also a lot of mature use cases moving forward fast. So it depends on some of these aspects as well. What is the right thing to do? And as usual, the sweet versus best of breed discussions, they have been out for decades. And there never was a single simple answer on that, because at the end of the day, it really depends. What I believe is that you very rarely will have only one solution. So, yes, if you're really small, if you're really into SMB space, maybe just you say go for that vendor, and I get more or less what I need. But you still may say, oh, but I need here a different type of authentication solution, then it's one plus already. And this is, I think, the point. It's rarely... only one. So, and I'd like to add, so I'm being quite long in the industry. I have seen this unified system management approaches. I have seen this unified whatever things and all the approaches which tried to unify everything into a single solution and then focused on the upper mid market or the large enterprises, the large organizations. This sort of unification failed at the end of the day.
But if you look at the vendors at the market, I think they are of course interested in having all at hand for their prospective customers and their existing customers. They don't want that people act in a multi-platform approach in this hybrid, in this best of breed approach. They want to provide them with the full solution, the full money. Is this also reflected in the market? Are products changing towards a more... suite approach?
I think it's really a mix. I see some vendors that are trying to grow the breadth of their offerings. While others say, I'm a specialist for IGA or access management, I look more at the depth of capabilities. So there's not a single or unified trend we have in the market. So we see both. And I think there's also a reason because buyers... have different expectations. And I think, you know, for a vendor, when you try to cover everything, then you need quite a big workforce to do that well. You need quite a lot of people to be capable of solving everything at a high level. It might be wise to focus on a specific area. And then we have another aspect to consider. It's not that IAM is a... sort of a finely defined and fully mature area. We have in various areas, we have innovators coming up, startups coming to the market, new vendors bringing in new solutions. So you never will be complete. So you then may say, oh, there's something cool and policy based access management area, there's something new popping up around decentralized identity with new vendors, there's... whatever this passwordless authentication thing, oh, I need to add some more for my OT security operation technology, whatever else, and then you have innovation again, or cloud infrastructure entitlement management, so really getting a crib on a cloud. So there's always innovation. And so there will be new engine. I think that there are ways to handle both in a... So the wish to have few... very few vendors, at least core suppliers or strategic suppliers, and then to be flexible enough to adapt to new demand, to new requirements. I think there are good ways to do that. I think we both know one we would bring up here as KuppingerCole Analysts.
And that of course leads us back to our concept of the Identity Fabric, which is quite dated already, but it's not outdated. It's Something that we did a few years ago, which is a concept which allows us to look at the full platform of identity and access management solutions as a whole in a holistic manner and allow it also to grow, to evolve, to change over time and to reflect that in a reference architecture, which is also evolving over time. But this allows us to create architectures that are flexible and dynamic enough to deal with these upcoming requirements.
Yeah, so I think it's very important to stress what you said. It's continually updated. It's really evolving, the Identity Fabrics concept, but it's also, I think it has proved over a couple of years that it withstands sort of innovation in the sense of this all fits into the defined framework. So all the new stuff which came up, so to speak, already has had a place in the Identity Fabric. And... this concept, I think, is an important one because I think we need to be... distinguish very clearly between a unified approach on identity management and a single solution. And the Identity Fabric does not say, okay, go for one vendor. Ideally, you have one or two or three core providers of the core elements of it, but there will be always added elements. It might be a lot of legacy you have. there might be integrations. And this is, I think, again, where orchestration comes in, because orchestration is then the clue that helps us bring things together. And from the very beginning, the Identity Fabric, we emphasized on the fact that what is, so to speak, the really part of the fabric is something that needs to be constructed in a modern architecture and that specifically needs to expose APIs. So that needs to enable integration, that needs to enable orchestration, and which also needs to enable sort of, or provide an API identity management, identity API layer, where others can connect to, but they also can do all the customizations on top of it. So the Identity Fabric really is built to bring the pieces together. When we then go back to the sort of the initial question of, was it, what is it conversion, orchestration or both, it's probably in most organizations, it's a mix. When you're greenfield, when you're smaller, you might be definitely more on the converged side. When you're bigger, you're probably more on the orchestration side, when you have more legacy, etc., which you also want to orchestrate in. So, there's not a simple answer, but what you definitely need is a unified concept, a comprehensive perspective of what you do in identity management. to do it well across all the identities, across all the services, across all the systems you'd like to connect.
Right, and if we look at such an IAM infrastructure, such an architecture, it's always good to take one step back to ignore for some time the actual vendor, the product, the service, the tool that is in place, but to understand it from a capability perspective, to know what's in there and how these tools, these capabilities play well together. And that allows you to make the right decisions in, for example, adding capabilities, retiring capabilities that are no longer needed. no matter whether that is provided through a single suite approach within an application that is provided by a single vendor or a single service provider, but to really understand what do I want to do, what are my use cases, what are the capabilities required for implementing these use cases, and what are, in the end, proper tools to add to the mix or to use from the suite that I have to fulfill these use cases. And that is the approach that we are using and preaching as analysts.
Yes. I think it's...
and advises for quite a while and it still holds valid.
Yeah, I think it always starts with understanding your requirements, not only the current requirements, but also thinking about what will be needed in the future. So we see not tons, but we see quite a number of upcoming regulations that are impacting way more organizations than before. When we take the NIS2 regulation for the critical infrastructures, then way more organizations from size and from industry are... in scope. And part of that, so it's overall cybersecurity poster, but part of that always is identity. It's because this is inseparable. We see similar trends on the other side of the pond. So we see this need of having a strong identity management poster and to get better on what we do. And part of, as I've said, going back requirements that obviously... also includes thinking about what will happen in the future. And this is, when you look at our Identity Fabric picture, there are all the different types of identities. And most organizations are, or many organizations are good, or at least okay when it comes to the workforce, and maybe the customer or consumer. For partners, it's always a bit more tricky. For non-human identities, it usually gets significantly more. complex and difficult. So you need to be prepared. Identity management is growing, a lot of new use cases and requirements from different angles. And so when you look at this entire thing, then you need to look at what will I need, not only what do I need today. You need to prioritize and then define the capabilities, the services needed, map it to the tools, bring the things together and glue them together. I think this grows off grows we observe in the orchestration field, where we see more renders, more tools arriving that help in orchestrating. This is a very positive and very important thing because it helps us to move from a set of tools to a fabric. I have been asked a couple of times about a fabric term which has different meanings. And in fact, it's really sort of both, it's a mesh. This is the orchestration thing. And it's a production of services, delivering the services needed. And orchestration is an essential piece. And at the end of the day, I think everyone is very well-advised in thinking about... How can I keep the number of vendors, at least for core capabilities, low? Really low? while not being stuck. and into a sort of a single vendors offering. How do I sort of achieve the capability to add things and to get better capabilities when I specifically need them without breaking the things? And I think this is again orchestration, the concept of my dandy fabric, springing this together and helps us finding the right balance between two extremes.
Right, so in the end, if we want to look back at the question that we asked in the beginning, is it orchestration or is it convergence? That actually is a secondary question. The first question is, do I have a proper concept in place to deal with both of them and to solve my problems, my challenges, to solve my business use cases in a proper way and the Identity Fabric and the reference architecture as concepts help you in dealing with both of that. And in the end, we need to strike a balance, as you said, to reduce the number of vendors, but not to reduce the number of capabilities. If you look forward into this year, 2024, June, we'll see EIC, and you've mentioned a few trends and topics that will lead to maybe some convergence or to the need of creating infrastructures that are more fabric best of breed-like. Can you hint at a few topics that we will see at EIC? that you expect to be driving this architecture evolution before we close down?
Yeah, so I think one of the big things currently being discussed in the identity industry is definitely decentralized identity with things like the EU decentralized identity wallet, the EIDAS regulation, also more European-centric, but decentralized identity also being a global theme. At the end of the day, I think it's very important to understand how this adds to what we have in identity management, how this enables us to do things better. in without breaking identity management. And this remains a very important theme. I've talked about this at the previous EIC already a bit, but this surely will be a very important thing. And this is also about orchestration. It's about new capabilities that come into the frameworks and that not necessarily are supported by the tools in place. So it might be the point where you say, okay, I need to add something. And then on the other side, the policy-based access controls. policy-based access management, which again is about orchestrating and controlling which service can access other services, who as a human can access what based on policies, not on static and standing entitlements. So these are just a few themes. I think EIC will be super interesting also when we look about the AI impact on everything, upcoming regulations. their impact on identity management, et cetera, et cetera.
And that is the big chance for our audience. Yes, I'm looking at you. If you have any questions, we will start with a series, with a loose series of trends and topics that we will cover running up to EIC, where we want to gather information, where we want to hint at topics that are new and that are driving or maybe are still there and still need to be considered. So if you have any questions, if you have any topics that you would like us to cover coming Trends and Topics episodes. Please leave them if you're on YouTube in the comment section. If you are not on YouTube, if you're listening to that in the audio version, just drop me a mail, drop Martin a mail and that we can cover that in a...
Better drop Matthias a mail.
Yeah, maybe drop it to me. So if there are topics that you want to cover with Martin, with other of our colleagues who are the experts in these fields, please let us know. We will take that by heart and we want really to cover the topics that you are interested in.
and the topics that we as analysts and advisors think are relevant. And when we reach EIC, we will have a full set of topics. So yours might be included. So please reach out to us. Thank you, Martin, for being my guest today, for kicking off 2024. And that will be an interesting year. Identity management is changing as it has never before, I think. So there are lots of more topics coming up and more regulations. So happy to see you in the next episode soon. Any final words, Martin?
No, just that I hope to see many, many people at EIC in early June in Berlin. It will be the event on identity management again.
Absolutely. Alexanderplatz, June 2024, five days of identity and security. I think that will be the place to be. It is. It will be. So thank you, Martin. Thanks for your time. Having you soon again. Thank you. Bye bye.
Thank you. Bye.
