KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
So today I'm gonna talk a little bit about identity centric. I am, as I said, I'm a director of guide house. What we do at guide house is we're an international consulting firm and we consult in all matters, including I, which I am a group member of. So I always like to start talking about, I am by talking about the found the, the like before times, right?
So this was even before the internet, before everything we used to do access management and access control by who, you know, so if you were in a medieval castle, the question would be, well, you know, do you know that guy who's trying to get over the bridge right now? Do we know who that guy is? Should we let him in? Then we got the internet and we, and, and we started using computers in our organizations and it was the same, you know, Jane would need some access to an HR system and her supervisor would go tell the admin, you know, Jane needs this access. Can you please put, give her access?
And the answer would be yes, of course, or we would have forms to do it as the organization got bigger. But in the main concept, we have our legacy systems in the middle and a, or a firewall and then a bridge, which is the access control. So it it's very labor, very time consuming to get there. But now we have with the advent of cloud computing and big data and all these other things, we actually have this tangled mess that organizations have.
They have their legacy systems that are likely OnPrim, maybe they're trying to move them to the cloud, but there are legacy systems that they still need to use. And then we have cloud apps that help us immensely do things such as dig through all that big data we have, or it easily gives our business and customers access to their information. And then of course, we still have our organizational users. And so we have all of these different stakeholders that need access to certain types of data, but we also have different methods and different ways to get into those types of data data.
So we have this really big tangled mess. And the question is, how do we deal with IM solution? Now we have hybrid solutions in most, in most places. So how are we going to deal with this? And the answer is there's five key principles for any security model there.
I, I like to say they're simple, but they're not. It's, it's a lot of work, but there's five things that I think for, for you need to know for quick wins that work. The first one's strong credentials are critical identity is the perimeter automated identity governance rules for access control, privilege, access management, monitors, administrators, every moves and remote and biometric identity proofing enhances IM for non organizational users.
I'm gonna do a little deep dive into all of them, but I think that really, once you get to all of these places, you can start thinking in terms of how do I go to the next step into zero trust. To me, these are the foundational elements that you need to create a strong cybersecurity program, or to be able to have automated access control or to do and modernize your system that that helps enable your employees and your, your business partners or your customers to be able to get the data they need. So the first one strong credentials are critical, absolutely critical.
If an organization is using only username password, that really scares me, please call me immediately. Let me help you. We need strong credentials. We need multifactor authentication in our systems. Passwords just don't cut anymore. There. The dark web cells are passwords all over the place. And quite frankly, our customers can't remember their passwords because they have so many and the combinations are different. So strong credentials are very important in any, in any network, in any organizational place. So strong credentials, that's number one, strong credentials.
Let's, let's go team strong credentials. So next one is identity is the perimeter. And I know that that sounds really weird, right?
Like, well, our perimeter used to be firewalls. So why is it now identity? Doesn't that seem like it's actually not as strong as having a firewall. It's actually more secure. When you think about it this way for identity to be the perimeter. The first thing you need to know is you need to know who, who your identities are. If you don't have a centralized repository for all of your identities, I like to tell a master user ID and master identity repository.
If you don't have those things in place, then you don't know who's on your network and automatically your, your perimeter is a little broken. You need to be able to have a strong perimeter. And with that strength comes this repository. The repository should be not only for your organizational users, but also for your business partners, your customers, anyone who's going to gain any sort of access into any of your systems. You need to be able to know who they are in a centralized location.
The, the way you get data into there, usually you would likely use an HR system or something else. And within this repository for organizational users, having strong attributes associated to those users is going to help you immensely. It's going to get you to that automated piece for access control control.
And it's going to allow you to kinda sit back a little bit and know that you have put in strong mechanisms that you have lower risk within your system, because you know that your tools are working the way they should, and that your users are getting the right access to the right pieces of data for the right reasons at the right time. So this is very, very important. This idea of identity is the perimeter and making sure that you have a really good identity repository that's that has robust attributes.
Now, why is this? It's the next one? Automated identity governance roles for access control. So what does this mean? This means you have strong, robust identity governance roles. You put in principles into your whatever vendor you decide to use, but into that program and you create rules for access. So you have your identity repository over here that has all of your, your master identities in your organization, and lots of really good attributes.
And then you have in the middle, this identity governance tool that allows you to say, okay, well, if this guy over here has a supervisory, right, then they can get pushed over into this time card. For example, you can have them as a time card signer, so you can address them, get that automated rules in place, right? So these are really important things to do to make sure that, you know, who's on your network, where they're going, why they're going there, all those things that you really need to know to, to be able to again, have identity as your perimeter.
The other thing that's really important about this is that we kind of touched about it, touched upon it on the last panel discussion, but AI is a place we're going to and automated access control. It's really important to, to think, to get that repository, all set and ready to be able to get to a place where you can enable your people to do their jobs and not to fill out forms, to get access to the things that they need access to. So the idea of, of, of birthright access to systems is really important.
For example, you might want all of your employees to have access to, I, I agree example really is a time card system, but you want all your employees and contractors to have access to your slack channels. So if you create those birthright rules within your identity governance system, then you can make sure that people get the right access that they need from day one, because they have the right attributes in your master user ID at master repository. So these are really important things to think about when you're starting to modernize your IM solution.
The last thing, well, the next, the last thing that's really important is privilege access management. Every organization has some form of critical infrastructure that they, that they need protected. Those can be servers. Those can be some applications with really good information in there, whatever it is that your organization has, that needs to be protected by a privileged access manager. So what that does is I in the, in the, in the smallest of terms, it's, it's kind of like a jump box that your privilege users go into. And then I also like seeing as kinda like a terminal.
So it reaches out and it gets to all of the really good servers, the network, all the things that need to, that have administrators attached to them. And so for those privileged users to get and do administrator rights into those really critical act of critical assets within your organization, they have to go through this one place.
Now, if I were you I'd sit here and think, well, Christine, didn't we just talk about this idea of a mote and a Drawbridge and how it's not the greatest and how we need to move forward and become and modernize the answer's. Yes, but there's a, but for privileged users, it's really important to one have as few holes as possibles in those critical assets. So for example, if you remove the ability to get into a server by any means, except for this privilege access manager, then you're really reducing your attack vector, which is very important.
So that bad actors, in many cases cannot move horizontally through it throughout the system. The second reason why it's important is most privileged access management tools today have a really robust recording mechanism. So it allows you to be able to see what it is that those privilege users are doing. It allows you to see what their key strokes are. It gives you this, this ability to really see what's going on.
If you have any issues with something that had happened, maybe someone got a hold of their credentials and act as if they were the privilege user and they got into a system and did some bad things. Those are things that you need to be able to kind of show, and you can video tape all of these things, which is kind of cool. And then there's also really good analytics attached to it. So you can analyze the privilege access of a person and you can analyze what it is that they're doing.
And if they're doing things that aren't the norm of what they normally do, you, the tool can shut down the access immediately. That's something that you need to be able to protect your entire system and protect your critical access. So these are things that we're really that, that I think tho these four things, the first four that I've talked about are really important. The foundation of I am to be able to get you to the next level, such as zero trust. Now this last thing is something that's more of a future state.
It is something that is definitely around today and is starting to gain traction. And it is really, really, really cool. So remote and biometric identity proofing. I know that this is happening all over the place today, especially because of the pandemic and how we can't go and do identity proofing in person anymore. But the biometric piece is actually kind of cool because biometric, I know most people we think of it as like your fingerprint or your face.
There are absolutely some really good remote identity proofing tools out there that are targeted towards the us, where I am that where you use your driver's license, you take a picture bit, then you take a picture of yourself like a selfie live. So then the tool can, can take the two pictures and compare them to make sure that your driver's license is more likely than not actually yours, but there are other tools out there that will allow for you to continue to vet an identity proof, a person, and some of those use, for example, keystrokes.
So the way that I type is absolutely different than anyone else in the world, which is kind of interesting. And so what these tools do is they get used to, they, they kind of start analyzing what my typing, what my keystrokes are, how I type, what the cadence of my typing is. And then they can go back and they can guess with a pretty high, sophisticated level, whether or not it's me, that's typing, even if I'm logged in.
So that helps to make sure that that person is actually the person that you want to be accessing the information and to be on the computer, doing whatever it is they're doing. So these are things I'm thinking about today. These are things that we're absolutely doing, more research on with the different vendors and the capabilities and, and this in particular is something that I'm very excited to start working with my clients on and to start pushing out. So I think that that is mostly it.
I'm hoping that there are questions out there from the audience, because I would love to answer whatever questions you guys have. I know that that was a lot, but I think that it's a, it's a really fun topic. And there's so much to go into that 15 minutes. I just wanted to touch the surface and get you guys excited about what's out there and how we can get to a zero trust architecture eventually.
