So, yes, my title of the presentation is your IM doesn't fit for hybrid multi clouds and digital transformation needs. Then it's time to resync. So how can you leverage what you have and extend by new services architectures to support today's tomorrow's business demand and identity management, and where I wanna start is, but by looking at what is the, the purpose, the role of identity and access management today. And as I said, I'm in this space for really a long time now.
And when identity access management became its own discipline in the early days, it really was about administrative efficiency. So it was about having meta directory services. Some of you were still may remember the term where you could synchronize accounts between different directories. We talked a lot about direct services as the core of everything. And then the, the first provisioning workflows were introduced.
So to automate the day one provisioning of employees and other stuff from there, the next thing we saw as this major transfer user experience, convenience around single sign on, around password management. And also, I think already model 20 years ago that the Sarbanes specifically added governance to that equation, where there was the, the mandatory need to support access reviews to get better access requested approvals, to have well defined standardized and, and audible processes around that. So was at the end of the story?
No, it wasn't. It was really trust, trust, starting point. And over the past years, we have seen evolution such as consumer identity, where, where we see a lot saw a lot of initiatives and a lot of new players entering the market, delivering IM services to, to the millions, tens of millions of customers and consumers organizations may have, but also adaptive authentication, including risk and content space access.
So these were, or some of the major evolutions in the past. And why do we look at what? So what is the drop of identity management today?
Then from my perspective, there are, there are two areas of enablement and the one area, and that is what really has changed identity management crew from an it technology from a technical thing, like synchronizing accounts to something which is about business enablement. So it is about managing the accounts, managing the identities for everyone and everything because digital services, I think this is something which really became a sort of a common understanding over the past years, digital services build on digital identities.
It's always humans or things, or whatever else being involved in these services. We need these identities. And so simply speaking, if you want to be successful in digital transformation, if you want to build, be successful in building a digital business, then this will not work without a strong foundation in digital identities.
And so with a strong identity management foundation, which is, as I've mentioned, which is very different and goes way beyond the traditional employee identity management, we have been focusing on in the past.
And so the other part of that story is the it enablement story. So it is not just the employee anymore. When I talk with end user organizations, one of their biggest challenges these days is partners. How do you about business partners? How do you deal with them?
But yes, there are also customers, consumers, there are devices and things. So think about automotive vendors and others, but also software bots. And so on to, to deal with these new requirements, it must be able to support all that. And also when you look at DevOps, when you look at actual it, that the requirements for, for managing identities and secrets and so on, they are changing.
They are different.
And last, at least when we look at cybersecurity, it's an, I am play. So in a natural, we need to, to extend the reach, extend the capabilities of what we do in, in access management. And the question you have to ask yourself is, are you ready?
Plus your, I am of to day cater to the needs of business and it today and in the future. And if the answer is, I'm not sure, or the answer is no, then it's time to modernize. It's time to revisit your IM and modernize wherever required. The big challenge there is that modernization is another target for itself. The target is to be ready to support today's and future business needs to enable it to serve the business well. And in that digital identities play a very central role. So you need to understand where you need to be.
And you also need to understand what does it mean from a modernization perspective and other things you better keep, or where you are careful and other things where you start. And so this where to start is clearly one of the really important questions here when we talk about modernization. So I've created a little bit of a feasibility metrics for this IM modernization, where, where I let's start clockwise at the upper right edge, where, where there are some lower hanging forwards, maybe low hanging is too positive, but at least lower hanging fruits things you can do relatively fast.
So, which are, if you look at the horizontal axis, relatively simple. And I think the emphasis on relative level simple here in the migration and which provide significant improvements in capabilities, access, and Federation, providing modern approaches in integrating decentralized identities and verifiably credentials, going to risk and context based, authentication and authorization.
These are things where you can get a lot more feature features than traditional solutions today and where the, the balance of what you get and how complex it is, is relatively easy next.
And this, this clockwise perspective would be to discern. So to speak. There is none of the, the, the sort of core capabilities fits into that. That would be things which are relatively easy to do, which don't bring that much additional benefit, but which are nice to have.
There are things which are really hard to diet, just like, like creating directory services, not easy to do or not also not super, super complex, but also if it's not that much of a benefit, clearly at some point you will need to think about how to get rid of a legacy active directory, how to shift to, to more modern approaches. These are things you need to have on your agenda agenda, but it's not the first thing to do.
And then there are to the upper left edge. There are really the tough nuts to crack.
So British access management, probably being simpler in migration and delivering more improvements and capabilities. When you migrate while IGA is something, yes, at some point you need to reconsider that you need to look at it, but it's clearly not the easiest thing to do. Migrating tons of connectors, cetera are challenging. So you need to understand what it means, what is missing, what are the gaps and, and your future requirements, what is feasible? And what does it mean in terms of cost, in terms of management capacity, et cetera.
And then you need to go, that's where I start with the requirements. You need to look at more so roughly at what are the things that are missing, what to do first and here, you, for instance, could start with our cooking or call reference architecture for identity management and think about which are the areas, which are in scope, which are out of scope, which are the things you have, which are the things you have at a level where you feel, this is really what you need.
This is the high level sort of entry into your requirements and licenses start with a, a rough scoping.
And clearly from there, you then need to drill down further into the concrete requirements lists for certain groups of capabilities, for the areas where you intend to do your migration, your modernization first. And so the, the step really to do is to think about what is where I have to biggest wins. Where do I have to the biggest benefit in investing into this modernization journey? And what I'll also touch in a minute is what, what are the areas where you can maybe keep things for a while?
Where are the things areas where you need to probably modernize first, where you have something which is not as modern as it should be, and where it's complex to, to modernize. You may consider sort of looking at a face migration approach, something, as I've said, touch in a minute.
So from, from this, what is needed question, you also need to understand what are main criteria for retiring versus preserving. So, as I've said, there might be things where you say, okay, that still works quite well, but it's also, and I think this is frequently forgotten. So I've seen a lot of plans for, oh, this is what we, all, these are all the things we need to do in identity access management, but you need a budget, you need the skills and you need management capacity. And that usually means at the end, you end up with a face approach.
Don't try to, to everything at the same time, but think about what is the first thing on, what are the things you better keep and, but plan for where you want to end up, have a clear target, have a vision, have a mission, have a roadmap, have a target.
And also, I think we also must be clear. Sometimes it's better, or it's at least worth waiting a while for having, having sufficient choice. Because when we look at the state of the identity management market and the vendors, it's, I would say vendors are in very different stages of their own modernization journey.
So vendors that started many years ago sometimes have still some way to go to, to deliver a modern solution that can run in different deployment models. And sometimes it may be worse.
Also, let's say waiting a little to say, okay, I have more options in this market. The market is more mature. So this is about balancing this, but at the end, what are the criteria?
It's, it are the capabilities you need for the future. So look at really being ready for what you need for the next couple of years, do it in a modern architecture.
So don't forward to the past by, by trust, going to another traditional solution. So if then it must be really something which is also architectural wise, ready for the future. Think about where you can unify. So don't end up as a suit of tools here and always think about is the added value so big that it justifies the cost.
And one of the recommendations we always give when we guide organizations through their tools, trust processes is compare your existing solution to the shortlist vendors you have. So add your current solution to the shortlist, even if you're maybe totally unlucky with your current solution, do it because if your current solution maybe is at 85% of the capabilities, and the best of the other solutions is at is at 98, 90 1%, the different might just be too small to justify an expensive project.
So, and you also might learn from that, that what you have is you may not like it, but it may, it's maybe still not that bad as, as, as you think it is.
And as I said, you also need a target. You need a plan, you need a vision for that. And this is where our identity fabric comes into play. So this is what we have to find as a paradigm for modern identity management. And we also trust our trust about to release a leadership component on that, which will probably be released in the next two weeks. I would say, where we compare the, the major players delivering to this approach.
And this is really about stepping back and saying, okay, what, what is the, what is what we need from a modern identity management? And what we need is at the end of the day, very simple, we have various types of identities and our shoppers to enable them to access the services they need, regardless of where these services run. And that must be a seamless but secure access, controlled access, but we must enable them and keep to sort of, to speak, to ate strains of security, etcetera, in mind.
And so we need to understand that is part of this definition work. What are the main capabilities?
This list sometimes varies in both the word and the, the elements. When we develop them with organizations, you can group them to different services. Also that sometimes varies slightly depending on specific needs. And it must be based on a modern technical architecture. So we talk about microservices. We talk about containers about flexible deployments. Some only have sort of trust public cloud, which also might maybe an option, but at least the architecture must be modern. Such architectures help you in, in better orchestrating integrating solutions by relying on APIs.
And that must work with what you have in applications. And I touched this, this transition topic migration topic earlier, and one approach maybe that you say, okay, I keep my legacy identity management for a while, at least in certain areas, because connecting to some of the legacy systems, I have maybe far to complex changing that.
And I better run that old legacy system just as a path through system, as a provision through system, which does the last mile. And it's easier for me and maybe cheaper to do that.
And this enables you then also to, to migrate your own pace, which is from my perspective, super important. So don't do something which, which really gives you the option to say, okay, this is the speed I need, or I can't keep, you need to support all the new services and you need to provide APIs for digital services. This is business enablement, the APIs for all the new services. So this is our identity fabric, which delivers the agility, but also the integration and migration. And this is where you need to start and end.
It's about your use cases, your capabilities, the identities, to support the services, the architectural requirements, all of these things need to be defined and need to be well sought out at the beginning.
And this is really about finding the balance between rapidly delivering and supporting what, what you have. And a good architect really takes both perspectives. This is what is at the core at the sort of the heart of our identity fabric approach enable enabling both aspects, agility, and integration, and doing it here at your own pace. Okay.
So to close my talk four recommendations, which compile what I've been talking about in the last 15 or 17 minutes, the first thing is plan first, not tools. First, I've seen so many projects where customers have an idea of what they want to do. And then they say, okay, this might be the tools. These frequently are very mixed lists of tools, which are really not comparable. Some of them sometimes don't fit. And it's really wrong to start with the tools, trust, start with understanding what you want to repeat.
And I don't go through the full list, but understand your use cases, your capabilities, etcetera. This is the starting point and spend a little time on that. That's not much time, but every minute invested here is well spent. Understand your requirements, your gaps, and the feasibility. Do you have the money for that? Do you have the budget?
The team, the skills, etcetera, what is more complex is less complex. And then you need a budget and the team and the stakeholders to win and define your quick wins and your big wins here. That's it for my, a thank you.
