All right. I'm here to talk to you about from journey point of view, kind of what is the Iams inevitable role today in the speed of digitalization and where we are as an organization now, safeguarding safeguarding, the organization, just brief introduction to the, to who I am and in Corona as an organization, maybe some of you already know that, but Kona is a finish from Finland finish company with a mission to improve the flow of urban life.
So we are delivering solutions like escalators elevators, automatic building doors, but also solutions for modernization and maintenance of these solutions. And we are a global leader, publicly traded company with a over 60,000 thousand employees.
By, by last year's based on last year's figures, we have just kicked off our no four years strategy period where we are. We have a main focus basically in delivering even more intelligent solutions and a building sustainability deeper into our operations, into everything we do.
And I also added their picture of me again, but yes, I've been at Connet now past, past three years, approximately as a and a solution design owner about the agenda today.
So I, I caught you here. Listen, listen to this presentation with, I think, a little bit provocative title as well. So I'm here to tell you that from my point of view, being at Connet for the past few years, how the business has changed, then how is the also role of IAM been changing in the organization and how come that we have? How come that I say that we have an inevitable role basically safeguarding the organization. So I will tell a little bit safeguard from what, and also why. And then I will go briefly through the approach that we base based on everything we do now.
So approach that basically gives no compromises and shows no mercy.
And I will end up this presentation with some key learnings and takeaways that we have gathered and learned along the, along the way. All right. So let let's go.
So like I mentioned, our business is changing, so we are a very old company manufacturing based company, but in fast few year, past few years only, we have transformed basically from that manufacturing company into a company, which is not only designing and manufacturing these physical escalators and elevators, but we are also delivering these 24 7 connected IOT solutions for critical infrastructure around the world and with critical meaning airports, hospitals, private residencies, and public transport. And I'm beginning to explain the IAM journey here from 2008. That's when I joined.
And between 2008, 2019 Iams role has been pretty much the business enabler. So IM team was seen as something that enables this smooth joiner motor lever processes.
And that's also when legacy IBM solution was ramped down with introducing completely new, new, modern, modern tool for this purpose. And also starting adopting agile develop practices within the IAM team. So IDM tool development and the process development. At that point, I would mention that the key partners with IAM were HR and business, and it also reflects pretty well.
The role of IAM when we were situated under the business enablers unit at, in it, and then moving to the 2019 2020, we were already in, in good speed after the implementation of the completely new, new IBM solution. So our focus started to shift a little bit that we were seeing not only as a business enabler, but also a security enabler in the organization. So security has been defining more and more the requirements.
However, the focus was still mostly serving on the enterprise. It, and there was a organizational shift under the global cyber security.
And the main focus has been past two years, then onboarding, onboarding all applications to the centralized authentication authorization solutions, scope, and expanding the IM capabilities, not only from, from the person ID, but also to the non-person identities and to the more higher privileged access as well. And at that point, I would say the key partners there have been the it operations in front network teams that help us get forward.
And we were also identified as a front runner in BI in DevOps within the it organization. And now a big shift from 2020, so 2020 and onwards.
I would, I would argue here that IAM is starting to shift into basically inevitable role start starting to safeguard the organization and also the customers. So IM is not only business enabler and security enabler, but it actually provides critical cybersecurity capabilities. So not only to the digital workplace and the organization itself, but our, our products in our services and our customers protecting those solutions, we provide from ized access.
And also we've been taking the role, not, not only there in the internal enterprise ID, but on the digital product front and focusing in developing APIs, automated pipelines, lean for OS around IM and we work closer to the customers than ever. Like I mentioned there that we are strongly involved in defining basically the security requirements for, for products there in brief the, the kind of a IM role role, how it has changed in past few years.
And now that I've been kind of a briefing the background for how I see this inevitable role emerging, we start to take the responsibility of safeguarding the organization itself then from what and why.
So, like I mentioned, I see that sustainability is part of our strategy and our focus, but I see that sustainability is not only about the traditional. We talk about carbon footprint, reducing that, et cetera, but it's also about continuously integrating security and safety into everything we do.
So our solutions and, and services that we, we provide for our customers so that they can confidentially use our solutions and even develop own services with us. And one of the major cyber trend that I, that has been shown in past few years has also been that we are not protecting anymore organization from the malware only, but there has been increasing amount of these malware free attacks emerging, which have much more longer breakout times, and they are much more harder to de detect by traditional antivirus solutions.
So I, I raised here as an example, CrowdStrike research report from 2020, that valid accounts has been the most common technique in more than 70% of the targeted ECRI and state sponsored intrusions in 2019.
So those valid accounts have enabled the adversary to gain the initial access to these systems, escalate privileges, and also keep the access persistent and stay very long time in the systems without getting noticed.
And here I come to the point that we are indeed enabling business and, and digitalization, but we are living in an environment where the adversary might be there among us already in our systems. So it's driving us really to make decisions and design solutions and strategy around the assumption that we ha we cannot make any compromises. And we cannot show any mercy for anything, any user object or device, which is not identified authenticated or authorized of our own of our IAM. So I will move to the approach now.
So some of you may think this is a baseline, but I want to emphasize the baseline here. So ID in thisd driven approach, basically everything, and everyone must be identified.
So basically every device, computer physical thing has to be having unique ID has to have an ownership and identified. So does any object that has to have an access to anywhere and this, and having these both identified devices, computers, things, and the objects that need access to those becomes critical. When we start to talk about these kind of access to things and machine to machine access.
So every internal user, external user robots, admin service principal must be identified and a brought to the IDM life cycle management. And then we come to the apps and systems. So every account and guide element, every system, whether it was a directory application integrated through a directory like ad or AAD, whether it was a directly connected app to IDM or disconnected application must be identified by the IDM solution.
Secondly, everything must be life cycle managed, Soly, all the identities and objects that must have access somewhere must be created, modified, and lifecycle managed by the IBM solution. In addition to all the entitlements from the systems.
And then we go down to, how do we basically detect if this, this whole system, the baseline that we have built, how do we make sure that we really make no compromises and numbers?
So, firstly is that, I think that in IM we often are faced with this discussions where we have to make compromises because of business or idea has been used to doing stuff. For example, outside of IDM. And we have to be the bad cop and come and say that, no, we rank no compromises, but once we reached that, we done that hard work and we reached that state. Everything is identified and life cycle managed by IDM. How do we monitor and make sure that's not being violated?
So our approach is we have an automatic reconciliation.
You may call it where IDM is scanning all the target systems for changes. So basically any connected system IDM will immediately detect if any, for example, account was created in the target outside of IDM, any entitlement or group membership was changed by something, something else than IDM, or see any, any accounts attributes, let's say, for example, a mobile phone number, which is often useful MFA, if that was altered by something else, then IDM, IDM would immediately detect that and revert the situation.
But what is the problem here is also that IDM doesn't have visibility and cannot see that the source of such action. So in order to bring it all together, we also build the integr from the target systems to the cm. So IM is IDM is sending this information about violation and that which was detected and reverted, but all the way to the cm and cm will immediately correlate that with the action in the target system, identify the source of such action and block that either automatically or through, through manual action in the sock.
So this might sound like a, like a baseline that should be in place, but I think IBM is in these days, we need to understand that IBM is much more than just a business enabler, but also an actual, it can be an actual driver of security in this way, safeguarding that nothing should be modified altered in the target systems without IDM being, being the source of such action.
I might be moving in the fast, fast speed here, but I'm, I'm planning to move now to the learnings key takeaways. And after that, happy to happy to then receive some questions or discussion on this approach. All right.
So my first learning key takeaway is that, well, do it agile. So I like to say this always, but I think you can do this as well in an agile manner because a little security is better than no security. So if you have an agile IM program where you are onboarding applications, entitlements accounts, little by little to the scope of IBM, you may still introduce this in an agile manner as well. So for example, in our case, we implemented a, an automation and using flags. So whenever, for example, entitlements groups were migrated to the IBM.
They were then automatically introduced into the scope of such, such monitoring and detection.
And secondly, I, I very much recommend to start this sort of an activity with a high risk high risk accounts and entitlements first, because there is a lot of resistance from the stakeholders usually as there are these teams that are shout out processes and teams that are used to doing things, for example, to ad directly. So creating groups and, and doing whatever they've been used to doing that might not take this, take this well.
So it's a good, good kind of an argument to start with this hybrid led store high risk entitlements and accounts. And in this way, when you move forward, you may also identify very surprising and vulnerable processes that should be, should be fixed.
Some other, other takeaways than these, to which I find very good and important are cleaning up sta and non-used entitlements by utilizing automation.
So I think it's, there are a few things that can be done very easily using automation based on, for example, certain attributes like logo log of how, when was this account last logo or utilization logs, and the rest is then kind of a long tail. So it will require a lot of aggressive and aggressive efforts, but also a lot of manual efforts and analysis to get there, to cover basically 100, 100 or 99%.
And secondly, I'm a little bit maybe repeating myself here, but at least in an organization like us, that has a history of more than a hundred years, we have a lot of legacy history, legacy processes, and they, they should be identified ramped down and introduced new these kind of idea, driven pro disease and automation everywhere. And thirdly, I would say that it's very important to partner strongly with these info teams. So in order to, to build that baseline where everything is, asset managed, everything is there in the configuration database, if that's not done should be in place.
Because at that point, when you start building the, for example, privileged taxes to the servers or to machines, this is an absolute requirement. Every time device is provisioned or deprovisioned any related objects should be life cycled along that. And lastly, I would say that for privileged taxes, I would recommend to ensure right from the start, when deciding on the solution and, and the kind of an which, which product to go with, I would ensure the capability exists to log and monitor and detect Pam bypass centrally.
So in the same manner that I saw, IBM driven way, any kind of a access to the target server or, or privileged target should not be initiated from anywhere else than through Pam. And there should be capability both from the target server side, but also from the Pam itself to correlate this in, in cm and be able to raise this essay security incident or block it immediately that you may purchase Pam and implement it in use, but it doesn't start to generate actual security value before this, this is in place.
I, I kind of, my presentation was there. So I'm very happy, happy that you came here and listened and happy to answer any questions.
