KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Identity management in the cloud and for the cloud, this webinar is supported by Hitachi ID speakers today will be me Martin, ER, of co a call and either show of hit ID. So let's start with some general information, some housekeeping for, and to topics, a call and Analyst company focused on enterprise it research advisory services, decision support, and networking for it professionals through our subscription services, where you can access our research subscription and other additional services like access to our Analyst through our advisory services and through our events.
Our main is the European identity conference, which will be held May 10th to 13. So in roundabout three weeks in Munich, co-located the cloud of 2011 conference. Most conferences are around solid leadership and best practices, identity management, PRC, and cloud computing, and the special cloud security there. And I'm convinced that there's a very good, very good reasons to attend these events, have a look at the agenda and the information you can reregister now. And as I said, I think you shouldn't miss this con these conferences being the lead conference in EA around these topics.
Somehow it's keeping your muted centrally. So you don't have to care about this. You don't have to mute our mute yourself. We are controlling these features. We will record the webinar and the recording will be made available at our website. So you can also have a look at it later. You can share it with your colleagues and all that type of stuff, and you cannot well download the presentations from the website.
So you don't have to make two extensive extensive notes on that, but you can really look at the website and download the PDFs of the presentations Q and a photo webinar will be at the end, but you can ask questions, time using the questions tool and the go to webinar control panel, which you will find that right side of your screen. We will usually the questions, the end of the webinar, but in some cases and if appropriate might also them during the webinar. So let's start directly with our today's webinar. The agenda is split into three parts like with most of our webinars.
The first part, I will talk about identity management in the cloud and for the cloud, the status friends recommendations afterwards FUTA ID. We'll talk about deployment blonde parents for identity management in the club and for the cloud. So he will then in fact, continue what I started talking about. Dive deeper into details and talk about different approaches in that area. And finally, we'll do our Q and a sessions like I, I have mentioned before.
So to start with, I'd like to service this picture, and this picture is something which is, I think very important when looking at cloud computing. So what I frequently observe currently is that there are a lot of vendors which are offering things specifically for the cloud. They are offering some parts of identity access management for the cloud. So you're doing things in the cloud for the cloud. You're doing service management specifically for the cloud or other things in this area of security or wherever I've.
I think what we really need is to have one, it, in the sense of we, we are managing our environment wherever it is running consistently. So we have one QRC, one I am for the entire hybrid environment might have with internal and external service level companies.
Again, again, later now, looking at, at IM and looking at what do we need in IM to be sort of Futureproof. And I think there are some four areas we need to be in the certain, the lower right edge. We need to be flexible. So we need to, to be integral between different things. We have to integrate what we have in our organizations. We have to be compliant. So we really have to support and fulfill compliance requirements. We have to be business focused to really focus on what does the business require? How can the business, the services for IM, and finally we have to be cloud ready.
So we have to support, serve everything, internal users and external users, internal services and external services. So regardless where services are running, we have to support this and we should be able to run our IM where appropriate is or hosted or on premise, depending on what is the better approach for our environment. And within these let's say requirements for, for IM to become future proof. I will focus on the cloud ready part today, mainly. So why are I am and tri C so important for the cloud? I think there are lot of reasons.
And the first four are the typical four A's and I've added the fifth a in that case. So the first one is administration of identities, how to manage our identities, only ones, regardless of where they're running. That doesn't mean that we need one directory. It means that we need a consistent approach on managing identities, regardless, whether they are internal or external and so on. And especially also, regardless of whether they are external, excess internal service or external services, we have to care about authentication.
So how can we provide sort of a single time on and consistent, strong authentication approach, really having strong authentication implemented for whomever. We need it in the appropriate way. In some cases, internally, we might have more logistics externally. We probably would rely more on logistics, free approaches like SoftTop or other things. But again, it's something we have to, to cover for our internal work for our external work, for the entire hybrid environment of cloud computing we are dealing with when looking at authorization.
So how can we manage access controls across multiple services and provider efficiency, especially if we have more external providers, how can we even enforce segregation of duty controls across multiple services, maybe even internal external services and all these things, consistent access control policies. How do we audit what has been done internally and externally, and how do we do the accounting for all of these services? So I am a GRC are pretty important. If you look at these questions, many are relates to the who questions. So thing saying is a key thing.
And, and to be, to really able to deliver for cloud computing, we need IM and QRC, and we need it in a way which really is focused to support the entire hybrid environment. And when looking at this, there a lot of different approaches. So we have, I, so as an extra cloud service product, external cloud service, we have external services for managing the internal environment, which is not necessarily an internal cloud, but we have to, for example, external provisioning service, we have internal services for managing external things.
So using our enterprise single to access external cloud services or few internal things, for sure as well. And what I think, what, what isn't really well is something which supports only one part of our environment. So something which supports only external to external is from my perspective, it's not sufficient a combination of something which supports run externally as well.
Our external as our internal environment, that's something which appears to, well as to me, the same is true when looking at something which runs internal supports our internal and external environment from that perspective and for things which are running either internal or external. So regardless where they run, they can be hosted on premise or can be hosted or on premise.
These are for sure, well, well combinations, however things which are only focused on doing something external for external environments only, or internal for internal environment, only they are, from my perspective, not sufficient because at the end of the day, it's always about supporting the hybrid environment. When we were at now look at what is way in the market. Then we see that from cloud providers, there are several offerings in the broader space around and security. So we have some offerings around secure infrastructure.
So how to deploy infrastructures in a secure way, how to manage them, how to do monitoring. We have very few tier C offerings right out there, but we have the first ones we have provisioning hosted. We have authorization management as cloud offering. We have single sun Analyst, cloud offering web access management, strong indication Federation.
So, so we have a lot of things in that area from a relatively broad number of providers today. And for sure, we have also a lot of class security technologies out there, like wireless updates, patch management, and others, which provided some time in some cases for a pretty long time externally, when we look at the MSSP. So the managed security service providers, then they are doing a lot of things in some specific areas of security management. When I look at that anti access management.
So then most of the providers in that area, so in that are working on implementing multitenancy in their classical on-premise products and then looking for hosting partnerships. So we have an increasing number of offerings, and we probably should ask you when, what he hasn't place there, who are his partners. And so on for QRC, we have relatively few things out there for secure infrastructure. So how to manage the entire environment.
We have an increasing broad number of things on, on the other hand also we have, so we have cloud, we have the manage service providers, which are focused more on, let's say classic cloud sourcing for limited number of customers instead of cloud services, which can be used by a virtually unlimited number of customers. And finally we have the on premises so that things you can do for yourself supporting hybrid environment. So that's about how can you extend your premise solutions to support hybrid environment.
And that might be for example, done by supporting some version two in ES O or adding connectors and provisioning for Salesforce, dotcom and other sales applications. So that type of things, a lot of vendors are starting with this. Some connectors are available again, it's something very ask you vendors, what is the strategies? And in some cases also we have techn which can achieve some result using existing technologies under pricing, and so on being a very good example, web access management as well. I expect that we see a lot of, lot more of things in that area soon.
And I think there's, there's good reason to do this. So once you have a good IM infrastructure lays, the best approach is to think about how can you start to become this being the foundation for your hybrid cloud infrastructure instead of, instead of adding trust in our infrastructure there. And so the question definitely is sort of old school approach where we do things internally on premise, the better one. I think there, there are reasons for both things. So there are reasons for doing things.
For example, cloud based as for external cloud services, you might have an optimized integration with these services typically S based, but you have trust another single sign on besides what you might have in place. So why shouldn't we use existing solutions at the end of the day? I think the most important thing is not do the things run on premise or in the cloud. The most important question is do the align, what is what I have in my IM and GRC infrastructure. And do they support my hybrid environments?
The reader requirements I have from my perspective I am for the cloud, thus has to become hybrid. Cause the cloud is for most environments hybrid, I am, has to support everything. So that's really the, I think the most important point was thinking about I am in the context of cloud computing and yeah, cloud part of it will be just part of it for years. So the conventional part of it has to be supported as well.
So if you do some new things, if they usually still have to work with what you had in place before, and many of the things you had in place before are trust on premise, there are, I think a lot of examples of hybrid IM approaches approaches you can use. So provisioning as a hosted service for internal and external application services, for example, or provisioning supporting external services by large service connectors, you could have also specific solutions for cloud provisioning integrated with internal provision.
So using something very specific, which supports a broad range of cloud services was that support for the external services, but a very tight integration to what you have internally as, so which supports internal, external services. All these things are looking at hybrid. Also you have, for example, strong authentication with supports internal applications and things sign on to external services or run externally and can protect internal services. So there are a lot of different approaches out there. The core thing is they should work with what you have.
They should support your environment, which typically is a hybrid environment. And I've put this together in a short list, which says, so what are the different approaches to manage users and their access? So one approach is what I would call cardiac. So where you have some internal, I am, but no centralized approach for external services. So many new identity silos popping up. And the worst case we have one identity silo per cloud service, because we are managing users per cloud service. We are managing access per cloud service.
We built new silos instead of reducing complexity, but imposes significant issues for Sharet for security for administration. There's obviously not the way to do it. We might work with this distributed process, standardized and centralized internal identity, access management and centralized external identity management. But that means we have two its and internal one and external one. I don't believe in that approach. I believe in the centralized approach where we have centralized IM infrastructure, which might be run on premise, which might be hosted there.
Some parts might be on premise and some other distinct parts might be hosted depending on whatever you need, where we manage internal, external users, internal external services, where we focus on standard flag, family and others, where we have a single set of policies. So who's allowed to do what and all that type of stuff and where we support our entire hybrid environment. So that's what I really prefers a solution.
So moving forward from, let's say an approach which, which is focused on, on, on different things towards an approach says, okay, yes, we have one business and we support this business by internal external services with one it, and this one, it requires one IM. So from my perspective, there's no value in cloud solutions for the cloud only does the value in supporting hybrid environment. And that's also about what to expand hard to expand what we have. So from on premise to the cloud. So this slide is the one which is focus on, let's say more the overall and cloud strategy.
So what are, are, are the important things when we are moving forward, first of all, we should have a cloud strategy. So what do we want to do in cloud computing? How to change the internal environment in that case and what to use from external providers. So these are some, some core questions we have to ask ourselves, what does cloud computing mean?
And, and what do we change? And, and what can we use from external providers? What will we use internally? Then we have to look at the risks and, and the risk mitigation and the management and all the type of stuff. And that's where also our identity access management comes in. So which technical elements are required and IM from a hybrid environment is a very important element in that. And then it's about integration. So how does it overlap?
What, what we have from the service perspective, which services shall we expand? What do we need new services and how do we really deal with this environment and building a strategy first, looking at a security and then moving to the cloud with a defined identity access management strategy first, that's what you really should do. Okay. So it's about expanding your it not reinventing it because it's, it's really about how can we move forward, supporting some external services managing what happens externally. And you also have to consider which services to run internally over time.
IM might be one, it might be outsource management. It might be run internally. You also have to think about which are the really critical services you have to keep control about IM so identity access management is one-off fees services. So looking at recommendations, you really should check your technology. So which tools support or will support hybrid environments. So which work in these environments and could be run externally, internally, and so on. Check your identity, access management strategy at, at all. Does it cover the hybrid reality?
So what do you have to do with your strategy, how to extend your strategy and maybe ask you the experts like us, by the way, how do you do you work with external and internal users with external and internal services with external and internal deployment? Look at the standards you will need to support standards at are much higher level than today. Sound excitement and other things, and then enhance your infrastructure for, and look at what do you need, which services to add and all that type of stuff. When looking at IM and cloud.
So one of last two slides, one thing I also like to shortly cover this sort of a checklist for compliance when looking at the IM solution run in the cloud. So doing things, one of the questions, very data, broad process, including personally identifiable information. So the PII things, that's a very important question because that is a problem with respect to a lot of regulatory requirements where administration operates some the same is true.
So if you're, at least, if you're you're crossing the borders, at least of the European union, then you have to be very careful for example, which audit data is provided. So if you're answering an externally, how do you keep control? Are there comprehensive as least from your service provider for you?
I am, are standards like SA 70 away, little and supported, and how to implement area fees, management concepts consistently across all the things you, you are running internally and externally, and finally how to audit operators and administrators at both sides. So how to implement also privilege management for the I environment.
And, and finally, when you're looking at providers in that space, so sorry, IM providers, then I think one of the important questions is to ask that concept work for hybrid environments. That's obviously the very first question you have to ask are the compliance requirements met. So do you really meet the requirements around compliance when looking at this IM provider is the business model fair and predictable. So are there any cost risks you can't predict how to migrate back? You might also want to migrate back your IM, which you have externalized.
And this is finally read a standardized service where you still can customize very required to sort of this 80 20 rule thing. These are from my perspective, very important things when, when looking at IM the cloud and for the cloud. And I think, as I said, my perspective is this is very, very much about hybrid environments. And that's the point where I want to hand over to item then who will then talk about deployment patterns for identity management in the cloud and for the cloud, I will make him presenter and hand add your term. Thank you, Martin.
That was, that was a very good talk. Alright. So I think this will dovetail quite nicely where Martin talked, I think more about the business approach to integrating identity in the cloud. I'm gonna drill down and talk a little bit more about architectural patterns. So hopefully you can all see my screen, right? So in my agenda, I've prepared a slide deck. Really.
I, I wanted to talk about a very quick overview of cloud computing. I'm sure you all know what it is, but more than I towards. Why should you care?
And, and that links into the analysis later. So I'll do that very quickly because I think here I will be in a sense preaching to the choir. Then I will talk about different kinds of identity and access management simply because the, the terminology identity and access management is so broad. And really, I wanna focus on one subset today. And then I'll talk about how the two kinds of technologies intersect and how you might go about doing an analysis.
What sorts of inter intersections or integrations make sense and what sorts, maybe not so much the obligatory marketing slide hit IDs and identity management software vendor. We're primarily north American. We're growing in EA we're about 50 people, about eight or 900 customers. And about 10 million licensed users. I'm not really a marketing guy, so I'll just move on from here. All so cloud computing, well, the word cloud really means something amorphous something without a, a clear shape. And that ambiguity is intentional.
It it's really intended to show that as an organization, you're not specifying where your, your applications are running. There is somewhere out there. Then this is an old concept from old network architectures. When you move an application to a cloud service provider, really you're talking about the ability to ramp up and down capacity very quickly. So dynamic capacity, and in financial terms, you are replacing capital expenditure and upfront purchase and configuration so forth with operating expense, just paying for the capacity that you're using.
And typically we're talking about systems that are delivered over the internet. And I know there's some notion of private clouds, public clouds, hybrid clouds, and there are actually people out there. Amazon is notable for this for saying, you know what, if it's not on the internet, we don't think it's a cloud. We can qu about terminology. But for today, I, I think we're mostly talking about cloud that's delivered over the internet. So cloud computing is in a sense, not a technology. It's a business model, right? It's about where the technology runs as opposed to what technology is running.
All right. So let's drill down into a little more concrete definitions. When we say cloud computing, generally, we're talking about software as a service or a platform as a service or infrastructure as a service. These are the usual three candidates, if you will. And in the enterprise space more often than not, we're talking about software as a service, we're talking about things like salesforce.com, Google applications and, and any number of outsourced applications that move out of your on premise internal data center into some provider.
But you may also be developing applications on some of these platform like.com or Microsoft, a Azure and, or a number of others, or you might simply need dynamic capacity for adding and removing virtual machines. So this is where something like Amazon's elastic cloud platform comes in. All right.
So, so now that we've got some basic definitions, why bother, right? The theory depends on which kind of cloud computing we're talking about. So for software as a service, the theoretical benefit is that some company that is expert at hosting, a single specific application is host is operating it for you. So you're getting the best expertise for that application. And ideally you should have zero effort to start up a new application or, or to expand the scope. So Salesforce is a good example.
You want to add some sales reps, you just pay a little more, you want to migrate to salesforce.com or you don't need to install servers, connectivity, databases. You don't need to buy software licenses. You just it's, it's at least small. You can be up and running very quickly. And another part of the benefit that that's proposed here is that the software, the application is always kept up to date. So the vendor that's operating the service for you upgrades to the service periodically too.
And, and this compares favorably with traditional applications where you might go years between a version upgrade and old applications start to look really, really old, really not, not very current or, or as valuable as the reality from all this stuff is for sure you get frequent upgrades. The other advantages you may or may not get. So you may or may not have access to real good expertise. And because of configuration and integration work, the, the zero effort to, to spin up access is not always realistic in the same way.
There's theoretical versus realistic benefits for a platform as a service. The, the main advantage in theory, for using somebody else's cloud hosting application platform is scalability. You can develop very small and in, you know, very short time grow to millions of users. The reality is you do get that, but you also get fairly limited features and usually get locked into somebody's platform. So if you build on a or you're gonna be on Microsoft indefinitely, if you're you're building on a Google platform, you'll be on the Google platform. Indefinitely.
Your application is kinda tied down for infrastructure as a service. The main advantage is that the amount of physical capacity of CPU, disc storage, memory and so forth is adaptive. So you need more capacity today. You buy it, you need less tomorrow. You give it back. The reality is this works pretty well for low demand applications. But if you have servers that are always on that need to be always responsive, the adaptive capacity is not really something you need. So you wind up paying more.
So if we add these up in a way that think of the right hand column as the totals, the theory is that you can lower cost with cloud computing and pay for what you use. The reality is that you have dynamic capacity and people don't seem to think about this very often, but a big impact is you eliminate capital expense and replace it with operating expense. That's what the accountants think about anyway. All right. So when you talk about moving things to the cloud, there's always some sort of objections and some of it is real. And some of it is what we call fear, uncertainty and doubt.
The, I think is, is it secure? Is it available? Will it perform? And I would argue that these are not very serious problems because any cloud or software as a service provider that fails to meet these metrics will be out of business very quickly. So the level of care that the cloud service providers invest in these parameters is actually very good. The more serious problems, problems that I think are more realistic are to do with legal liability. So does your contract with your customers or your regulatory regime allow you to move some of this applications or this data out of your perimeter?
Is the vendor gonna stay in business? If you're gonna use a smaller cloud provider or maybe even big one, do you trust that they're gonna be in business next year? Can they integrate with your on-premise applications? So you've got a whole inventory of applications inside your firewall.
Can, can you plug the two together? And Martin mentioned this one.
If the, if you decide to change to a different provider, can you move your data? Is there data portability and with movement in mind also, there's a question of jurisdictional restrictions. Are you allowed? Pardon me? Are you allowed to move your data to wherever these people, this CSP has data center? All right.
So, so that was the cloud background parts. What about identity and access management? So one way to think of identity and access management is as an integration layer between the user life cycle, onboarding the activation, things like that on the one side and your applications and, and systems and access rights on the other side. So you're talking about managing users, identity attributes, login, accounts, passwords, tokens, smart cards, groups, and so forth. Users might authenticate with any, any one of a variety of technologies. And in the authorization step, you're really doing two kinds.
You're doing authorization at login time in authorization around any given user action. Can the user see the screen access this data and so forth? So identity and access management, as I said, is kind of a broad term. So if we think about more well defined components, we have software to manage or administer accounts and entitlements. We have solutions to AU to manage authentication factors, and we have single sign on in access control technologies broadly. I'm sure you can think of other categories too. All right.
So the user life cycle pretty straightforward, higher manage support the activates and somebody, sometimes people come back, he up the cycle, you have rehire situations, the business problems also straightforward, slow, and, and expensive provisioning, all kinds of management problems around inappropriate access rights and evolving access rights and so forth, supports things like forgotten passwords and lockouts access to errors activation, which be reliable fast. And none of the above the business are very straight.
How do these two kinds of technologies, cloud computing and, and identity administration in particular that I'd like to focus on? How do they intersect? So the first question is what does it mean when we, when we throw around the term like identity and access management in the Martin was referring to this, actually, are we talking about an on premise identity system managing access to, to SA applications, for example, or are we talking about identity access management as a SA application managing user access to on, or perhaps other SA applications talking about augmentation?
So the SAS, I am system connecting to an on-prem IAM system. Are we talking about federated access management? So single sign on across domains. So lots of combinations of permutation. And my point here is if somebody says I am in the cloud, your first response should be, what do you mean by that?
Cause, cause that doesn't, that's not a very well defined term. All right. So if we wanna understand what we mean by that, we can think about this in, by breaking it down into components. So there are several participants here. You have a user and the user signs into an application after he authenticates to some authentication system could be a directory or a smart card or something.
And the authentication system is managed by an identity and access management platform right now, each of these participants, the user of the application, the authentication system and the IM system, each of these can be in different places. They could be on the corporate network, out on the internet, SAS style or at the data center that belongs to a cloud service provider. Right. And the interesting thing about these locations is they're not just glued together. There's usually firewalls between them that prevent all sorts of data traffic between them, right?
So we have moving parts or participants at different locations that are segmented from each other. All right. So if we draw a picture of that here we have the internet in the middle, we have a cloud service provider on the right and for a baseline case, we've left everything inside the corporate perimeter. So imagine that the, the box on the left is your corporation. This is your private network, and you've got everything in here. You've got your identity and access management system, your applications here, your user directories here, and, and your user is physically here.
And you can see that there's a little firewall that connects these to these firewalls are interesting. They're porous and one direction, and usually fairly open in the other direction. So they're kind of a, one-directional sift. All right. So if this is a baseline, what do we think of this baseline?
This, this isn't cloud computing at all right? There's nothing outside.
Well, the pros of this is we, we understand how this works. This is how everybody's done business for a long time. And another pro is, or another benefit of this basic approach or baseline is the integration is simple. You don't need to have firewalls between the IM system and the directory or between the user and the application and so forth. Everything is kind of open the cons.
Well, deployment application deployments tend to get very old before they get replaced. So the upgrade cycles is terrible. Three or four years. The physical infrastructure is expensive in terms of dollars and cents and space and energy consumption. And the workforce is a problem. It's a problem simply because you usually can't get enough, good talent to, to configure and maintain everything.
And, and these are the usual motivations for looking at putting things into the cloud. So as you can imagine, we can start moving the participants around. So in this example, I've moved the identity and access management system out, right? So everything stays inside. I have an on application on directory on-prem user, but the IM system moved out.
So, so this is IM in the cloud, managing everything else on premise pros and cons again. So one of the basic pros of cloud computing in general is, oh, okay, great. I don't need a server. I don't need his database. I don't need to buy or maintain that stuff. Cool. The software is always updated. It's always a current version. Great. And maybe I don't need quite so many skilled people in house cons.
Ooh, I still need to integrate something outside with something inside. So I'm, I'm moving across the firewall and kind of an unnatural direction, another con.
And, and in this sense, I, I might be disagreeing a little bit with Martin. You have to find a vendor that operates a very reliable network operation center. So multiple data center is 24 7 monitoring all that kind of cloud hosting vendor, goodness. But the same vendor also needs to have a very good consulting team to implement your identity management system. And I don't see a lot of vendors with both of those kinds of capabilities under one roof. And the other problem is bit of vendor lock.
So if you do manage to deploy system like this, if you ever change vendors, it could be quite difficult. All right. So I'll do a couple more scenarios and I'm not gonna cover them all. We've actually got a white paper that covers 24 of these scenarios.
So in, in this scenario, I moved the application out to the cloud. So everything else stays inside, but I, I moved one thing out to ask the application. So imagine this is salesforce.com. That's classical pros and cons.
Well, first of all, we have to ask, what do we mean by this? Does this mean we're managing logins to the application with federated login technology, or does it mean we're managing user objects on the SAS application with Federation? The pros are obviously it's convenience, single sign on, and it might reduce the administration burden. If you can eliminate the needs to create and delete user objects on the SaaS platform, the cons is if your user moves around and we didn't show that in this diagram, then in order to get to the Federation capability first, they need some VPN.
So you've got this thing out on the internet. You'd think that your user could just connect directly to it because of the federated access component.
No, no, no. They have to log into your environment first and then link out. So that raises a problem with devices like iPhones that may not have a VPN client. All right. So if we're not talking about Federation, then we're talking about identity administration and the pros here are, well, it's just another connector for your IM system. It happens to be a connector for something that's outside in the cloud. And it's always good to add target systems. It always adds value cons.
Well, I don't know. You have to buy and configure one more connector. It's really not a big deal. All right. Another example, as I said, I'll just do four of these.
So the, the, in this example, we're gonna outsource the directory. This is really bleeding edge. I don't see any significant organizations doing this, but the concept is, forget about your active directory, authenticate your users against Facebook or Google or Yahoo or something like that. Can you do that? I don't know. Your users might be happy.
I mean, you know, I'm a user, I have my Facebook account or my LinkedIn, whatever it is. If I could use that at work, it's one less thing for me to manage. Sounds good. Maybe onboarding for your new hires is quicker. That's also good. And you know, if I'm a big organization, I have hundreds of domain controllers. That's a ton of hardware I could throw out. I always wanna throw out hardware, the cons. Do you trust these guys?
I mean, would you trust an outside party to authenticate your users and to your internal applications? Can your legacy applications do this, or do you need some kind of exotic infrastructure? And what would your auditors say? I don't think this use case is all that realistic today, but it's, it's a scenario to think, all right, another one let's move the user out. So the user's not gonna go work out of the CSP office. He's just work from home or cafe or, or somewhere else. So this is just a mobile user case, right? Mobile workforce, lower facility costs.
I have customers that are trying to reduce the amount of office space they own by a third right. Half, maybe. So obviously there's a cost saving employees like this staff retention might be more productive if they're not in the office.
And, you know, having conversations all the time, cons, well, you need a VPN obviously. And if you move all your apps to the cloud, then isn't the VPN redundant. But in any case, this is just the standard mobility scenario. All right? So there's a whole bunch of these scenarios. If you count it, move all the object around there's naturally 24 and there's only 24 scenarios was just one of everything. If you have two IM systems or two applications, obviously the number of scenarios grows even more. And as I said, we have a white paper that goes through every single one of them in detail.
So we're running a little bit short on time. I'll do this real quick fundamentally things to think about. Don't forget the firewalls. You have firewalls over the place they segment these networks. They're open in one direction, closed in the other. When you consider what to put, where, whether it applications or IM systems or directories should be out at a CSP, think about what it means to get over those firewalls. It's important. Think about trust and compliance. Do you trust the IP to safeguard your data, to stay in business? Think about mobility.
Your users are increasingly coming from somewhere other than your premises. Think about connectivity. If the integration between an application in the cloud and an application in your environment moves a lot of data around, then it's gonna fill the pipe and it might not be a good candidate for moving out there. So think about bandwidth latency and data volumes. Talk to your accountants because moving to a, a south in particular eliminates CapEx and, and ads, OPEX capital expense, operating expense changes. Your budgets might change your tax treatment.
Believe it or not think about dynamic capacity, the more dynamic your capacity needs. The more incentive you are to go to the cloud, think about process maturity and skillsets yours, but also the CSPs. And think about retooling integrations usually are switching from client server kinds of solutions to more standards based web services based approaches. And your application inventory may or may not be ready opinions. Basically.
I think the, the baseline is safe, expensive, slow, and you know, arguably not that mature in, in most organizations, if you wanna think about moving the identity management system itself to the cloud, I think you'll find that there are limited examples. And the reason for that is it's hard to find a vendor. That's both a good consultant and good C we have vendors that are good at one of those things, but not so vendors that are good at both managing access to applications from your conventional IM system.
I think it's crazy not to actually, I think that that's something that every, every organization should be doing outsourcing the directory. I, I think that a bleeding edge concept, I think there are cases where you certainly wanna do that for your consumers, but for your employees, not so much and remote access.
Well, this is standard mobility. Everybody's already, already has mobile workforces. You can think about outsourcing the VPN virtual desktops and so forth.
Alright, that's the slide deck. So we'll switch to questions now, I guess anybody who's interested can write down these URLs. So we have short forms. The interesting one, I think, is this white paper, which goes through all the scenarios, plus a few more for privileged access managements. And beyond that, like Martin I'll be at the European identity conference. So if you'd like in person, please, Okay, thank you. And that was really a great presentation and a lot of, I think, very, very useful information in there.
So it's time for questions right now, please start entering your questions and then we might pick them up and then answer them. So after first question here, and I hope that we receive a lot of additional questions afterwards. I believe the, the, the information of, for links available for some, some while right now, but as I've mentioned before, as well, the recording of the webinar as presentations will be available for download.
So you can access them at our equipping, a call website latest by tomorrow, so that you then can have a look again at the links and the see information, all the other valuable information with scenarios live. Okay, let's start with the first question. Do the big four accountants have sufficient legal knowledge for handling these issues regarding customer data being moved to the cloud? I think this question where maybe as well, me as I might provide some the power of the answer, I think it's a very interesting question.
I would assume that they should have sufficient legal knowledge somewhere, but not necessarily on broad availability, I would say like this. So it, it probably really depends on finding their right people within these organizations or they're pretty good at finding them or identifying these people themselves. And I think it's also very important to bring in, let's say a good amount of own, let's say own knowledge and own on ideas to ask the right questions there.
So it's definitely something where you should be careful and put a lot of own thinking into how to handle these things and not fully rely on someone externally. Would you like to add to this?
Yeah, I think jurisdictional risk and the, the sort of interaction between jurisdictions and regulations and outsourcing. I mean, cloud computing is really outsourcing some function.
I, I think that's, that's actually a real challenge. I, I don't know that anybody really has a good solution, including the, the big consulting firms. And the reason I say that is there are literally hundreds of regulations and there are hundreds of jurisdictions and each of those ha has something to say potentially around security, around data movement, around controls and so forth.
And I, I think basically the, the problem is there's too many combinations and if you have too many combinations, nobody's gonna know all the answers. So, so I think this is a bit of a, an, the great challenge facing outsourcing and club computing.
Both is, you know, if you engage a party in another jurisdiction, what does that mean? What can you let them do? What can you not let them do?
And, and if you are yourself, a multi-jurisdictional organization like a multi-national corporation or something, what, what does that mean? And, and sometimes organizations actually get into a situation where in, in one country, the regulation is do X and in another country, the regulation is you must not do X and, and you will definitely violate regulations somewhere.
And, and I say that because we've actually seen that we nothing to do with cloud computing, but Hitachi ID is, is incorporated in Canada. Our parent company, HDS is incorporated in the us. And there are, for example, just a completely random example rules regarding export control. That impact who you can and cannot hire based on their country of birth or origin and the rules in the two countries. And these are very similar countries, very close, very open borders. The rules in two countries are contradictory. If you comply with us regulation, then you're breaking the law in Canada.
And conversely, if you comply with Canadian regulation, you're breaking the law in the us, so you can't win. And so I think this was kind of a, an open challenge for organizations in general with cross jurisdictional problems. Yeah. And I think maybe, maybe that's some very interesting information. We will have some, some very interesting presentations regarding specifically this topic of regulations to different areas and how to deal with these things at our European T conference. So it definitely should have a look at our red trend and especially at GRC and the cloud, correct.
Especially the GRC track, which just the first drag in our red, because as I've said, there are some, some sessions which really are, are focusing specially on these issues. But I agree with Adam, you might end up with your will something somewhere, depending on what you do and this something where you really have to very carefully what you're doing, let's I, one of the points is, or what the next question, sorry, I've just mixed up some, two questions.
I do, you know, an example of, of someone who's using IMS service and doing these things based on, on ad in the customer network. Okay. So the shorter answer is yes, but, but with strong caveat.
So we, we actually partner with a number of organizations, people like HP and CSC and Siemens and so forth and frequently, they deploy our technology in a multi-tenant cloud based environments. And then they use that to manage some things inside their customer environments.
And the, in order to get connectivity, you really have two options, either have the VPN or you deploy proxy server inside the customer environment. Otherwise your firewalls block you.
And, and we have customers taking both approaches both the, the VPN and the proxy approach. But when I started, I said, lots of caveats. So the caveats are that our partners in, in this respect generally have very good operational capabilities, but very limited consulting capabilities. And so you might ask, well, how, how can they deploy an IM system with no consultants or with very few? And the solutions that multiple CU partners of ours have arrived at independently is to limit the services that they offer.
So usually what they're providing is password management, which is a small subset of IM. And even then they generally offer limited integrations. So for example, we ship product with integrations for over a hundred kinds of systems and applications are cloud hosted partners, generally support four or five of those, right? So a tiny subset of the possible integrations and a tiny subset of the possible business processes.
So I, I, I guess that's one of the boundary conditions where a hosted IM system works out is if you say the business process is limited to, to this small menu and the integrations are limited to that small menu, then we can host a system for many customers and do it economically. And some of the deployments are very large. Some of them are tens of thousands of employees, but the functionality is quite limited what we don't see yet.
So we're having conversations with people about this, but we don't see this on, on a large scale is enterprise scale full featured, fully integrated SAS hosted IM it's possible. There's nothing technical stopping it, but I, I just don't see any organization yet that has both the maturity to operate a data center, multiple data centers, NOx, and all that. And at the same time, have the deep consulting bench strength to implement a robust enterprise scale identity management systems. It's doable, but we haven't seen it yet. Okay. Any other questions from the audience regarding this worry?
Very interesting topic, topic of how to deal with I am in the cloud. I think from what we've heard from, from Adam, that's also what we see. I think it's still a relatively new market and you really have to let's say think out about what you're producing and, and be very careful on these things.
So there, there are some very interesting opportunities. And so that's, that's really, I think what a message is. And my perspective is at the end of the day will be the most important thing is test support hybrid. And what I has shown, I think that's also very important is you have a lot of architect options. So there are a lot of different ways to do it. And you should have to, should keep that in mind. I don't think about all the three way to do it. What are the shortcomings for strengths? So maybe you have a look again at our slides or recording of this webinar.
So if there are any, no first questions, it's up to me to thank you for participating in call webinar. It's up to me to thank you to for doing this very, very interesting presentation and hope to see you, your repeat item conference in soon.
