Hello everyone, welcome to today's KuppingerCole webinar supported by One Identity. Topic of today's webinar is Identity Sprawl, the new scourge of IAM. I am Nitish Deshpande, Research Analyst at KuppingerCole Analysts and today I'm joined by Rob Byrne, Field Strategist at One Identity and Robert Kraczek, Global Strategist at One Identity. In today's webinar, we will take a look at the concept of Identity Sprawl and some of the measures which can be taken to address this challenge. Before we begin our webinar, here are some housekeeping instructions.
You all are centrally muted, so you don't need to mute or unmute yourself. As always, we try to keep these webinars interactive, so we will be running a couple of polls during this webinar and I would like to encourage all the participants or everyone in the audience to provide the answers. We will discuss the results of this poll during the Q&A session, which is at the end of the webinar. You can enter the questions at any time using the C1 control panel and we will be addressing as many questions as possible during this Q&A session.
Finally, we are recording this webinar, so the recording and the presentation slide deck will be made available for download in the coming days. Now, let's take a look at quick agenda along with looking at Identity Sprawl and the initiatives for combating that. We'll also take a look at initially at what is the role of data in IAM success, the role of identity data and some of the challenges around it.
Before we begin with the webinar, I want to start right away with the first poll of today's webinar and that is, have you ever experienced difficulties keeping track of your various online accounts and their credentials? Is it A, yes or B, no? You can cast your votes in the C1 panel and we will definitely take a look at the results towards the end of the session.
Now, let's take a look at what is the role of identity data in IAM. IAM has changed due to the shift from normal user accounts for the employees of an organization to digital identities for everyone and everything. You have digital services in the digital transformation that are building on digital identities.
So, there's no successful digital business today without a strong IAM foundation and for that you need strong user identity data which can be leveraged for various purposes such as authentication and authorization. Then you have access controls and these policies are crucial for determining which identities can access what and at what time and so data from roles is used to implement these kind of access policies. Then it's about integration with the data sources such as directories, HR systems and third-party applications.
These integrations support up-to-date information of identity data to the IAM systems. Finally, it's about auditing and reporting, that is, analyzing the identity data such as user log and user activities for identifying user behavior patterns. But why do we need to handle the identity data and how can we do that?
So, here are some of the fundamentals of handling identity data. It's first is provide strong identity for authentication, next is deliver context for authorization, then enforcing reliable identity data, having unified identity information and covering all types of identity. We'll start with taking a look at the strong identity data for authentication and I want to talk very briefly about Zero Trust here because it starts with identity and the better the quality of the identity data, the higher is the assurance level for authentication. Authentication is the first step for verification.
That brings us then to authorization which follows authentication. It's a repeated verification process for some level of access and that's where we also need data, where we need information about such as attributes, such as roles, attributes, when we look at attribute or policy-based access controls.
So, authorization decisions rely on this kind of contextual information and this data needs to be reliable. Verification of identities leverages this kind of reliable data. Weak identity data limits the level of assurance in authentication and the reliability of the overall authorization decision process and how we can simplify the authorization process is by grouping of identity information. Some of the in authorization systems can use contextual information from various sources but some are limited to a single source.
So, in order to simplify the overall authorization process, unifying the identity information is recommended. And finally, it's about including all types of identities and that extends beyond human identities. We are talking here about non-human identities such as services, devices, and basically everything and anything that is connected to the system.
So, then that brings us to like the four tenets for identity data and how can you handle the identity data in a correct way. And first is having a comprehensive identity data which includes all the attribute and contextual information. Then it needs to be correct and current. Having the most recent updated identity data is very crucial. And finally, the identity data needs to be consistent across all the systems in the organization. And that is one of the changes which many organizations are facing is having inconsistent data across all the systems.
Having inaccurate and incomplete data records and also having outdated data across the systems. Also, there are issues around having multiple entries for the same identity in different systems. There are also challenges around having different formats and standards for storing identity data. And that also brings us to some of the other challenges is having the overrun regulatory requirements. Identity data needs to adhere to compliance, reporting, and data auditing. Identity data is required to be maintained as accurately as possible for auditing and reviewing logs.
It needs to be encrypted and protected to prevent unauthorized access. Then you have these access control policies and principles which will demand highest quality of data around identities. And so then that when we now dive deeper into the identity sprawl concept, which is basically uncontrolled distribution of identity data across various systems. And right now there are users with multiple identities in multiple locations. And this is leading to inconsistent data across the systems. You also have duplicate records of the same identity.
And this is all leading to difficulties such as the consumption of data. And it is becoming difficult to integrate this data as it is being inconsistent. Digital identities are sprawling across many silos. And it's one of the aspects that's leading to the lack of identity information quality. Data will remain residing in a broad range of systems. And the tendency of sprawling identity data will continue with more and more identity types being in scope. And so there are some of the points around identity data.
And then what are the challenges that we are currently facing because of this identity sprawl? And that is the data quality. It is getting affected and this can lead to incorrect access permissions being given to wrong identities or even inactive accounts. And this can then further lead to unauthorized access and data breaches and other cybersecurity issues, which will then in turn demand you to have a more complex cybersecurity infrastructure in place.
And finally, the identity data being inconsistent and spread across the many locations, it can get difficult to comply with different compliance frameworks. How can you mitigate the identity sprawl and what are some of the strategies around that? With identity data sprawling across a wide range of systems, providing the data at the right place on time, integrated across sources and in required quality is still an underestimated challenge.
Excuse me, sorry. The effort for integration can be successfully done for verification systems, but requires a centralized and specialized approach for unifying identity data and delivering this to various IAM cybersecurity tools, such as having a centralized identity management system. Having a good data governance framework, oversee the management quality and overall security of identity data is also important. This can be done by having a clear definition of policies, procedures, and accountability for maintaining data quality in the IAM system.
Other things such as automated provisioning and deprovisioning ensures the timely update of identity data and overall access permissions. Regular monitoring and auditing of identity data is another aspect of managing the identity sprawl. And some other measures such as overall having employee training and awareness by implementing best practices and educating them with the importance of data quality can go a long way. Another aspect is about access controls is one of the efficient way of managing identity sprawl.
IAM systems utilize data about user roles and the associated permissions to implement role-based access control policies or policy-based access control policies. Policy-based access control policy is also critical cybersecurity component of organizations. It allows centralized policy management and have real-time decision-making using the current and inaccurate current and accurate data. You can have fine-grained access controls. Also allows ease of integration into organizational hierarchy and policies can be driven by personas.
So you can have different policies based on different personas and then have a control over identity sprawl. That brings us now to the second poll question of today's webinar and that is, what is the common challenge related to identity sprawl based in your organization?
Is it A, inconsistent data? B, cybersecurity-related risks?
C, duplicate data? Or D, reporting and auditing issues? Now moving on, I would like to hand over to Rob Byrne and Robert Kracek who will now present their part of the webinar.
Yeah, so welcome to this session. Thanks Tish for that introduction. I'm Rob Byrne and I'm joined by Rob K, Rob Kracek. We're going to take you through some of our perspectives on this from the one identity side of things.
Obviously, we'll refer back to, oh, is that sharing okay for you? Yeah.
Yeah, okay. I see the control bar on top.
Yeah, you're good. Okay.
So yeah, so Tish has laid it out pretty well and I'm pretty safe to say that if we put up an enterprise architecture for any of the organizations people have joined the call here, it all looks like a nuclear power plant blueprint, like a lot of arrows and boxes, very hard to understand. So just to have something to hold our minds, we want to give you a little analogy with this identity sprawl. And the analogy we went with is around the archipelagos and islands. So where a lot of organizations find themselves is in the archipelago situation. There's a lot of stuff dotted around the landscape.
There's a lot of complexity, a lot of intricacy. It's going to perhaps hard to get a handle, hard to have a standard way of doing things, hard to travel between these, to communicate between these different little islands. We know in Europe, we developed all those different languages because of this kind of siloed approach.
Well, the journey that we want to discuss here and the direction we want to go is over time to kind of maybe go from a sort of the archipelago thing down to more regrouping, perhaps a grouping of islands. Let's try and consolidate. Let's try and consolidate across technologies, but standards, protocols, and so on. And ultimately, maybe where we get to is a place where things are more merged and sort of interesting. It's sort of the opposite direction to where the planet went, right? If you remember, we had, what was it called, Rob? Pangea. Pangea.
Yeah, Pangea, any geologists on the call, right? And it went the opposite way.
So, Pangea split up into lots of little things, and we're kind of going in the opposite direction. So, we just wanted to put that little analogy out there, bearing in mind, I suppose, the key point, we're not ever going to claim that we get to, you know, back to the Pangea moment, right? We're never going to have one ultimate, you know, centralized repository for all kinds of reasons that we're going to touch on here as we go through. The one thing that's missing from the picture, thanks, chat GPT, at the end, is connections, bridges, maybe, between those final silos we find ourselves on.
I'll make reference to that later on. There does need to be communication.
So, maybe for the next iteration of this, we'll put some nice bridges in there. Okay, so there's a little analogy to hang on to. I wanted to move on and just talk a little bit around, you know, everybody on, most people on this call would have their own sense of identity and perhaps don't necessarily need this point to be made. But nevertheless, I think it's worth driving home. Your login account, the point I'm making here is your login account, the account that you log into your systems every day, be it your Windows desktop, be it, you know, your web SSO interface, that's not your identity.
It's easy to confuse with the ceci n'est pas une identité, you know, my reference to the Magritte thing with the pipe, if anybody remembers that from, but it can't be your identity. Your login account, you've probably got several of them, okay. You will have different personas, right, associated with different accounts across different systems. So let's not confuse accounts, especially login accounts, with an identity.
The personas and the different roles that I assume as I navigate across the business processes that I work in and that I'm involved in, the different applications I sign into, there has to be a concept, there has to be somewhere where we hang and correlate all these disparate items together, right, and just even taking that first simple step of recognizing that identity is a thing, digital identity, as a support for people, right, and other kinds of things in our environment is so important, right, because when we make that step and recognize that identity is there and we can hang policy and persona, it gives us a way forward.
I'm going to talk more about that in a moment. Yeah, that's a good point, Rob. Even on my cell phone, all the different ways I authenticate into different services that I consume, those are all just accounts. It's not my identity. So your phone is actually like a microcosm of what we experience in the corporate world where all these different pockets of authentication and accounts are housed and, you know, my phone's not my identity. It's just the housing, all these different accounts that you can log into or utilize.
So yeah, it's a good point. Well, and you raise another interesting point, which we'll call out, which is the blurring, right, of the line between that which is private, right, that which is, you know, private life and professional life and the whole area of bring your own, you know, device, bring your own sort of, you know, capabilities or sign-in options. We'll talk more about that and the risks associated with that. We wanted to, we got this identity sprawl problem, which I think is real, it's recognizable.
We, you know, we see it when we do surveys. I'm sure, Nitish, when you do surveys as an analyst, you see those, that sprawl is a real thing, you know, like we found that there was, you know, 20, 25 different kind of identity in scare quotes, right, whatever that means to that person. Repository spread across organizations is not untypical.
We, you know, we, a lot of what we do is moving, you know, organizations from that sprawl down. But what's behind it, because like our environment, technology environment is changing all the time. And we just wanted to call out some of the really important key drivers that we see kind of somewhat creating this sprawl that we're fighting against all the time, making it all the more important that we have robust stance to begin with, that we take a robust stance. So some of the items that we're calling out here are things like the remote working area.
And the, you know, the accounts associated with those remote working, be they VPN, be they my own local laptop, be they my Wi-Fi at home. You know, there's accounts there that the enterprise doesn't necessarily reach out to. And we have cloud resources, perhaps private cloud. And then and then public cloud, where we're distributing our resources up there. And guess what, those environments being a platform, being providing services, they come with their own set of guess what accounts, and confusingly, somewhat terminal from a terminology point of view, quotes identities, right.
And then the interconnectedness of all of this stuff is also, I think, augmenting risk and augmenting complexity for us, the supply chain, which is this little logo here, right, we as organizations, we want to be more and more connected with our suppliers, with our vendors, we want to obtain, you know, efficiencies within the supply chain. And, and therefore, we're dealing with more and more of those third parties, but intimately connected third parties, right?
Not just the guy who shows up and comes and sits down in my office, right, but digital identities that are connecting deeply into my environment. We know, from many of those breach examples, that the supply chain is a vector for attack the American government at the moment, very, very concerned with that, you know, and that's causing various kind of, I would say, flashpoints between private and public forces, right. So there's a lot happening there, around the identities associated with that.
Coming back to Rob's point there around the social, this kind of little logo is supposed to be the social, you know, the whole LinkedIn, and that facility we have now to readily find information about people is something that is, I would say, increasing risk, and then putting more information about the identities that we carry around with us, right, as people identity profile, but making it out there and making available as part of, you know, an attack path.
And then the last point there is just a little logo to remind us of ongoing AI and automation drives, right, which organizations are really kind of, you know, discovering at the moment. And, you know, one of the things, Nitish, that struck me in your presentation was calling out data governance aspects, right, controlling access control as pertains to data. And I think an unconsidered aspect there, it's starting to be more considered, because honestly, we've seen attacks there on the machine learning infrastructures, and being able to protect the data around that.
So all the identities associated with all these different environments, and the accounts associated with them are part of what is creating this identity sprawl. And I should say, these are all desirable things, we want to take advantage, but we need to keep an eye on the accounts and the, I don't know, the exhaust fumes, you know, they talk about digital exhaust fumes that are being generated.
Rob, I know this is an area that you're interested in. Yeah, so that's a good point. And you could consider each of these, these bubbles of identities are, they have subsets to them as well. So for instance, you know, the remote workforce, there's lots of different ways to look at the remote workforce and how you want to leverage the technologies available for delivering services to your remote workforce, or even to your federated identities.
But, you know, in my experience, even back in the day when I actually ran a couple large IT shops, particularly in healthcare, where we had a number of different systems. And of course, this was back before we had such a sprawling landscape of cloud environments. But even then, it was an application sprawl problem. We had identity islands everywhere, then were very difficult to federate, or in some cases, you weren't allowed to federate in a way that allowed you to manage them as a whole. And so you ended up with a lot of different attack vectors or threat areas that you had to address.
Now, because we were primarily an on-premise system with some cloud presence, it wasn't as difficult as it is today. Today, there's so much cloud presence out there. And the technologies are constantly changing and how you deliver your services that the identity itself has become kind of your, the leverage point or the security point that is the most important thing in your environment. Not that it wasn't before, but before you could obfuscate the identity behind a number of different, you know, static firewalls and brick and mortar type barriers.
But now it's so much more difficult to utilize those technologies that protect the identities in a cohesive way without, you know, consolidating those things, which we'll get into further. And I know we had some other industries that we've worked in at OneIdentity that have slightly different issues than healthcare.
You know, manufacturing, obviously, we're more into the automation and the AI perspective. And some of those industrial systems are very static. It's very difficult to take that static system and then draw it into a broader spectrum of identity security.
So, you know, there's things that you have to consider today that were probably consistent with, you know, things 20 or 30 years ago. But now you have additional things, you know, like social media, like expanding hybrid cloud and native cloud services. And of course, the ever-expanding use of automation via AI or just service accounts.
So, yeah, it's definitely, identities have definitely become the perimeter for a lot of our security practices. Yeah.
I mean, the mergers and acquisitions, right? Like a lot of this, like you have a very nice, tidy environment, and then your company goes and acquires somebody else.
I mean, it's not uncommon for us to come across organizations with 20, 25, you know, historically. Well, we've done that here at Quest. We've done that here at Quest and had to take time to integrate those into the environment.
So, I don't know, as a way to sum that up, we're introducing here, I suppose, the first time a kind of a formal sort of picture of identity sprawl. Rob, do you want to just- Yeah.
So, you know, in this one, like I said earlier, and like Nitesh pointed out in his presentation, you know, there's lots of different data points. There's lots of different places that you can store identity and consume it, or information and consume it, and the identities leverage that information.
But again, you know, it used to be that we would have a very, you know, almost monolithic environment. I won't say it was ever monolithic. There were always archipelagos and islands and continents.
However, now we have a lot more standardized way to, say, federate external identities and create that relationship at a deeper level for providing services and consuming services. But you still have all that core legacy stuff. I was just speaking to a customer last week. They're still, you know, OS 390, AS 400 mainframe. They can't change that because it's a core component of their particular industry that they're in.
But we also now have, again, more non-human identities, more bots and automation processes that people are using to offload some of that workload from other sprawl that's happening with your environment. So, it's kind of a cyclical, I don't know, layers of an onion type thing where you're continually building more and more services to provide more services. But then that expands your landscape to a point where you have these huge exposure gaps now. And we'll talk about that in a little bit, you know, about some of the breaches that we've seen.
And, of course, I'm sure a lot of you in the audience have read or seen other types of exposure points being leveraged by threat actors. And that's because we have this enormous identity sprawl problem that, you know, covers everything from legacy mainframes out to the most advanced monolithic kernel software as a service providers. I think it might be worth mentioning here, like just to call out here, the cloud platforms, right?
So, whether it's Amazon or, you know, Google or, you know, Azure and so on, Oracle, whatever the cloud platform, SAP, right? With an ERP sort of oriented set of services, they're all coming with a very complex set of quotes, identities.
And, you know, one of the questions we get a lot, and I think the industry as a whole is still scratching its head on this one, looking at the so-called machine identities, we think traditionally of service accounts. Really what we're talking about now is what I see is a lot of what we're calling workload identity.
So, there are identities or accounts, right, that are associated with cloud, you know, objects or cloud processes or cloud runtimes. And I think a sensible, we'll come to this when we get to the strategy piece, but I'm perhaps going to put it out there already, right, is that we should be making use of the cloud, of the platform-native capabilities where it makes sense, right?
So, if the platform-native capabilities are taking care of some of those, let's say, low-level workload, device-level kind of identities and access control, then we should be using that. The question then becomes, how does this relate back to our enterprise-wide identity posture and stance, right? And that's where we need, you know, pretty beefy kind of mature identity infrastructure to be able to take on all of those different environments, because they're not really identity systems, but they have a large, they're one of the large islands that are going to remain and always will be there.
So, there always needs to be a good bridge in there. I suppose, just a place for future reference, it's worth also calling out the area of privilege, right, and how important privilege is as a kind of a strata running across all of this.
Now, are they privileged identities or are they privileged accounts? We would rather see them as the latter, with identity sitting above that. But in terms of the impact on how we're handling this and the policy approach we're taking, I think there's definitely a shift. Yeah.
Yeah, and again, so we've shifted from a very fragmented security through obscurity, best of breeds type of environment, and now we're into, we're slowly evolving as a ticking and screaming in some cases, as an industry into a verify and everything kind of paradigm, you know, zero trust and least privilege or concepts have been around for quite a while.
Frankly, you know, when they were first introduced in the industry years ago, people just didn't really pay much attention to them, maybe as a theoretical concept, but with the amount of not only governmental penalties for breaches and the amount of breaches overall, and how much money is changing hands, the verify everything approach, the zero trust approach, or at least at a minimum, the least privilege approach has become something that people are taking seriously. So, you know, again, in the past, what did we do?
We stood up a bunch of systems, we created some scripting and some loosely coupled integrations between them that make it more convenient for administration. But because we didn't have a lot of exposure externally, you know, via the internet, or private cloud connections, it was very easy to just kind of create your own archipelago, if you will, of, of different systems that kind of interacted, and you had some experts that knew how to make them talk to each other. And that was fine. And then you could manage that security footprint that way.
But now with security, being so or the footprint being so diluted from an identity perspective, and from a overall security perspective, very, the verify everything approach has become the new way we should be looking at developing a security program, particularly around identity, identity has become that thing that, you know, is the core of all of, or most of what keeps you up at night when it comes to, you know, creating a security practice in your particular business or industry.
Yeah, I mean, one of the things I'm seeing, you mentioned zero trust, I think, you know, perhaps overused term, but I'm seeing a lot of organizations getting behind that as a way to, because we've been talking a lot about technology federation, but it's also about federating the teams right across the business, right, all the way from procurement, you know, through, you know, through sales, through logistics, right, through finance, through HR, into, you know, the more techie crowd, like the enterprise architects, all the way down to people that deal with specific systems, how do you how do you get all those people, you know, behind a program behind an initiative.
And I'm seeing a lot of organizations use the zero trust way, perhaps rebadged, right, because the name is can be difficult to work with. But getting behind that, I was talking with transport authority from the Middle East, and they were saying, well, I'm not sure how to introduce identity.
And, you know, just talking with them, it became clear that their, their, their organizational sort of mantra was they wanted to be the most trusted, you know, transport authority in that region, I was like, there, there's your in, right, you don't want to be trusted, get behind the zero trust message, federate everybody, you know, involved in in any way touching on cybersecurity business process, use that as a way to federate those teams, and get behind that.
And that's, that's, I think, putting identity, then in the middle of your zero trust is the way for for the identity teams to position themselves, I believe. The other thing I would say about this is if you if you're thinking to yourself, well, you know, Rob, the two Rob's would say this, because they work for a company called one identity.
And the other thing I would say is that, well, if you just take a look in the market at cybersecurity infrastructure, and what we're seeing more, you'll see more and more is that the endpoint vendors, the vendors who are traditionally concerned with, you know, desktop security, virus scanning, you know, threat malware detection on endpoints, and, you know, increasingly in the cloud, and are now more and more using and getting behind identity itself as well, which is definitely a shift that's happened over, I would say the last two, two to three years, kind of accelerating trend.
So if you like, it's not just us, you know, the identity, you know, vendors that are saying that it's also the endpoint crowd. And actually, we're seeing more and more requests from that world, right, the endpoint world to integrate into our identity infrastructures.
And we'll, yeah, so so that's something that we're talking about and engaging with more and more. So identity really is a place to get behind, I feel, you know, it's, it's a real thing.
It's, it's not just a, I suppose, a positioning thing. And so that's, that's that. And with the fragmented landscape, there are, you know, talking about identity sprawl, what are, okay, it's not going to be one big thing, but what's it going to start to look like?
Yeah, so, and keep in mind, this is from our perspective, obviously, there, there are other things that you could put into this, this bubble, bubble chart of challenges. From our perspective, obviously, identity governance and administration is, is a key component of any identity security, you know, program.
So understanding, you know, where you sit, as far as identity governance administration is concerned, how that works with your IAM, or identity access management, how it works with your privilege management, how that all ties back into your, your, in particular, your Microsoft infrastructure. I mean, the majority of folks in this audience, I'm sure have some sort of footprint within Active Directory or Azure AD or a mixture of both.
But the current challenge is, and this has been going on in industry for a long time, is you always have a conversation between the best of breed paradigm and, you know, some sort of monolithic design. And the multiple tools deployed process can work.
However, in today's world, where attacks happen so fast through social engineering, or permanent session token theft, or whatever, the, the challenge is to make sure if you have multiple tools from multiple vendors, or from multiple sources, that they work together in a way that you can, you can at least understand the challenges that you're addressing.
So, you know, in today's world, we have a very fragmented state, I mean, a majority of our customers that we talked to have, you know, many, many different identity security, or, you know, IT security programs, or product, products and processes.
And they also have things on the edge that are being brought into Rob's point, I mean, you'll, you're gonna, you're involving, you know, vendors that normally didn't talk to each other before, like we, we talk to vendors in the IT, ITDR space, or in the dark, you know, dark web search space, or even in the networking space, you know, Palo Alto, or somebody like that, who they're interested in tying their stuff back to an identity program.
So understanding your challenges, you know, identifying the tools that you have, figuring out, are they compatible with each other, because a lot of them aren't. And also understanding the other products that are out there that might augment an identity security footprint, those are all part of the challenge. And so typically, you'll find an environment like this, like Rob said, this is a very simple version of what your environment may look like, you know, or just a nuclear power plant diagram.
But this is our concept of what identity security, the challenge looks like you have fragmented data locations, fragmented people and processes, you have fragmented applications, you have these different services providing different identity security functions, but they're not really working well together. No, exactly.
The, you can see like privileges is kind of, I always find privilege kind of, it's always seems to be a special case, like, we've got access management, why do we need privilege access management? Is that not kind of flavors of the same thing? And there's definitely some shades of confusion there.
I mean, what we mean by privilege access management, perhaps privilege account management, if you want, concerns, you know, hardened appliances, or be they virtual or real, and session recording, right, and then everything that goes with that, versus, you know, account, privileged account elevation, right, like decorating. Now, of course, they sort of come together to some extent with just in time, but nevertheless, the session recording hardened appliance has to be there.
However, what we'll talk about perhaps in a moment is that we are seeing a convergence of those privilege access management, identity access management, it's a journey that we're on as a vendor. And then some of the other identity infrastructures, I'll just just kind of mention them right in passing, just to kind of acknowledge there, and we are starting to do more being asked more and more by organizations, well, where does this fit with the whole self sovereign identity thing, right, coming from trusted, other trusted, other trusted authorities within society?
And how does it fit with dynamic policy evaluation, what you would call authorization policy servers, and that kind of thing, because they're important components that are now also showing up. And so what, at least we're doing within this environment is, is trying to get to, as I say, trying to start to merge those islands, at least into the archipelago into at least a smaller collection of islands that are well connected.
Rob, do you want to just explain a little bit the... Yeah, so, you know, this is something that that we started as a concept, gosh, I don't know, five, four or five years ago, at least. And this was the idea of creating ways to to couple these services, where it makes sense in an identity security paradigm. So what that means is, you know, when you're looking at securing identity, back to our original point, you have accounts, and you have an identity.
And so in every one of these pockets, you know, the privileged account management, you have an account, identity and access management, you're providing kind of the face for the environment, you're providing the SSO and the MFA and the access to the web based applications. But you also need to govern all of that. And how do you govern it?
Well, you connect the sources of truth, you integrate via policy, the different movements that your business has around identities. And then, of course, you have Active Directory and Entra AD components to think about, because that's a directory service that is ubiquitous in our world.
So when you look at the identity challenge, and how you can tie things together, and make sense of it all, is to start start with your governance and work your way around the accesses, particularly privilege, because privilege is let's face it, it's one of the primary attack vectors for a lot of hacks is to get to that privileged account. And take your tooling and make sure that they're tied together in a way that you're pulling it back as many chinks in the armor as you possibly can repairing as many or whatever analogy you want to use.
You want to make sure that you're taking this identity footprint and you're creating as tight a knot as you can, so that it's a lot harder to penetrate from different aspects of that environment. So you're addressing the sprawl by taking tooling and tying them together in a way that makes sense for your industry. So I think addressing the challenges is an ongoing thing. I was joking before everyone joined that this was a challenge back when I had hair that looked like Nitesh. And here we are, you know, all these years later, and it's still a problem.
And I think the problem is because that as the technologies change and evolve, and the footprints of where you place things, and how you utilize the cloud, and how you're federating, and how you're doing M&A, you need to make sure that you have a core product set that can integrate together in a way that locks down as many of those identity exposure points as possible. Yeah, I mean, I would say, you know, as you can imagine, I'm sure Nitesh and his colleagues will help plot maturity curves for organizations.
But if you ask yourself a simple enough question, have I got one place to go to check who's got access to what? Have I got one place where it all comes home, right, where it all comes home? And if you don't, if you're running between, if you're taking the ferry between those different islands in order to, you know, get all the information you need to bring back, right, to the central point, to the capital, then that's not going to go very well. So we wanted to kind of run through some sort of recommendations around this.
And so identify the authoritative sources, right, for identity, that in itself, you know, honestly, can be a challenge for some organizations that they're not, they don't know what they've got. Often they don't know what they don't know. It's an investigative process that third party, you know, they may bring in third parties to help them with that, explore the touch points with business process, right, and identity and access. And it's subtle, right?
Again, without like trying to complicate it, but some systems will not be authoritative for everything, they may be authoritative for some aspects of it, right? HR is authoritative for a lot of things, but the telephone number and the email address, as we know, I mean, come from other systems, right? So it's a bidirectional sort of, you know, what would you say, like a discussion, right? And the number of sources we've got is, you know, HR and contractors and different directories. I think consolidation there is definitely something to drive for.
And I, you know, I would say that the policy definition point, the enforcement point, traditional, right, well-proven design patterns around, you know, policy definition points, like your identity governance platform, you know, what's the password policy, what's the provisioning policy, what's the role-based access control policy, you know, what's the request approval policy, all of that stuff. And then the enforcement points, like access management and privilege that we mentioned, they still serve us very well. And I don't see those going away.
Policy evaluation point, right, for authorization policy service. I think we need to keep using those terms and start to map them onto our environment. Some organizations don't even use the word authoritative source. They perhaps, and it's important, it's so important to start to identify those aspects and those flows.
Rob, I don't know if you had a comment on those things. Well, I mean, authoritative sources is a term that's been around for quite a while.
And, you know, everybody has their own islands of identity out there that could be utilized for unidirectional or bidirectional integration into a policy definition point. And interestingly enough, you know, a policy definition point is something that is going to be an integral part of any identity fabric.
So, you know, I guess my point with this is when you're looking at this, you also have to consider the political aspects of what you're trying to do. And I know we're going to have to get through these pretty quick, but, you know, when I look at these authoritative sources and policy definition point from a technology perspective, I think this is definitely where you need to start. You need to start your design from policy at the core and how those sources are tied to the policy. You also have to consider who the players are in your organization from a political perspective.
And additionally, when you're looking at these strategy recommendations, think about how you can get your executive leadership on board with making these changes to your, if you need to make changes to your identity security footprint and so that you can create this, reduce the sprawl and do it in a way that makes sense to the business and not just from a technology perspective.
Because you can talk about all the authoritative sources and policies, engines and things that you want in the world, but if you don't get buy-in from someone who actually understands what the risk is to your environment by not addressing these points, you're going to not be very successful. And we've seen that. So I don't know, Rob, you want to get through the rest of these?
Yeah, yeah. The strategic identity platforms, those systems are taking and acting against those resources and implementing policy. We typically see these operating in multiple of these environments. And I would say there's no shame in doing so.
In fact, actually, as someone who's worked in this space selling these platforms or working with these platforms over time, it's really nice for me to discover customers or organizations still using things which we were put in place 10 years ago. I mean, I think it's enormous. It's so pleasurable to see value actually being extracted from these things.
However, all good things come to an end. And at some point, we're going to have to make that decision around what is the strategic platform. And we know in the market there are, by the vendors themselves, identified platforms that are no longer there. We have from SAP and Microsoft systems like that, that we're going to need to think about how we replace them. As we replace them, we want to look to standards, obviously.
And we want to look to standards-based identity systems and ones that hopefully come with as much integration, deep data model understanding, deep connectivity to reduce our own operational cost. We clearly want to go that way, kind of a bit like exactly the picture that Rob was presenting earlier. And a slightly technical point just to finish here on this for the moment, the sync, the synchronization, as I mentioned right at the start, those bridges. So important to have a powerful synchronization capability that's not just a fire and forget.
Because if you can't reconcile all of this stuff and bring it home and have workflow to handle the discrepancies, the discontinuities, the little mismatches, then you're going to really struggle to get a sense of this. Just to kind of land this, our kind of take on it, if we can do this and we can have these systems, then we're getting to a sort of a more open water kind of plain sailing sort of situation and things should be better. The kind of benefits that we'd expect to see here, centralized management, less inconsistency between policies and between what teams are doing.
Ask three teams to do the same thing. They'll all do it different ways. And then the ability, as Nitish pointed out, to build on top of that with a solid policy around automation, around improved hygiene, which is so important for breach limitation. These are all the kind of advantages we would expect to see from this. So I'll stop sharing there, Nitish, and let you... Perfect.
Thanks, Robert and Rob. I think it was really great. We already have a few questions from the audience, so I'll just present them. So the first question is, how can we handle the politics between the teams that are managing their own identities if they don't want to let them go? What is your take on this question? This one got the most votes as well. That's a great question. I'll field that one, Rob. You can buy me a beer later. So I actually had this conversation with a customer last Friday. They literally argued over it in front of me at a conference table.
So addressing that, it takes, in my experience as a former consultant and as a customer and as a vendor, the most important thing that you can do in that situation is you need to get executive buy-in at a higher level than those folks are operating in. And I hate to say it.
Obviously, that's something that is kind of a dirty little secret, but if everybody has their own islands of identity and they can't agree, it's going to take either an external consultant or someone with the ability to look above... Now, look, I respect everybody's opinion on their environments that they manage, but sometimes you can't see past what you see right in front of your desk.
And sometimes it takes either an external entity or someone like Cuppanger Coal or even internal executive sponsorship to sit down with all the parties involved and work through that issue of who's controlling what data point and how we want to integrate it before you ever start looking at technology. And the simple fact is if you throw technology at that problem and then you try and solicit buy-in from the other departments, you may fail. And I've seen it.
So in my opinion, soliciting either a third party or someone far higher in the organization who can exert some influence over these decision makers is the best path forward before you start looking at technology. I don't know if you guys have any opinion on that one. Are you not going to touch it?
I mean, I agree with that, but I'm also a fan of the bottom up, right? So if there's a way, like, I mean, if we can speak to the selfish, right, speak to the selfish interests of those guys that don't agree with you, if you can do something for them, if you can take some work off their plate, the identity team is going to take on, you know, the auditing responsibility, make it easier for them to do auditing, to get onboarding of accounts and so on, then that's, yeah, that will, that will also appeal, right? I think that another thing to look at is to look at the DevOps approach.
There's a continuous service improvement type approach within DevOps, or also in ITIL, there's a continuous service improvement approach in there where you're involving all the parties. And there's actually a process laid out around getting buy-in or coming to a consensus on how to approach the issue. It may be something where you not only, you know, politically, you know, maneuver, if you will, but you also attach that maneuvering to an actual processes that can be documented. And there's a way, there's a methodology behind it, instead of just, you know, running for running for office, per se.
Got it. Okay, perfect. I think there's a few more questions. And we have some time. The next one is, we have several older identity systems that we need to consolidate. What do you recommend as first steps to start consolidating or migrating these to a centralized platform?
Yeah, I mean, this is a hard one, right? And as I said, it's okay to keep them running in the corner. And if they're pouring away, and they're doing their job, that's cool. Especially if it's a backend system, right? If it's doing what it needs, but in the back office, where it's more sensitive, obviously, if it's user experience, if it's business user facing, then that fragmentation is now manifesting often to the end users as logging into different systems, and they don't like that. So I think you have to pace this, you can't, as we know, eat the elephant in one go.
If you take on a very large system too early in your program, it can sink you, right? You will run aground, right?
Analogy, it won't go well. So you choose carefully, choose where you have good chance of success, where you have support from the team, they want to get rid of that thing, they are doing to do everything to help you build some success, and then maybe leave the big chunky ones for later. I'll maybe just give a hint, one organization I saw where they found themselves with multiple, you know, user entry points. It's not perfect, but just use signposting. As I was like, hang on, where's that thing I was looking for?
Oh, I have to go, well, just click here, right? And then it will take me where I need to go. At least the end user is not left in what I call like a digital dead end. That's the most frustrating thing. At least if you leave the signposts between the islands, right, kind of, then they know where they need to hop to, right? And that's an ongoing thing. My own experience is when the target you're migrating to, you need to have good knowledge of that. You have excellent knowledge of where you're landing, and you need to have good knowledge of where you're coming from. That's what I would say.
It was a hard question. Okay, no worries. There's one more question. I think maybe Robert can give this one because there's someone in the audience who says that they have been doing identity for more than 14 years. And when can they claim that it's done? It's never done, unfortunately. Every time you think you've finished synchronizing all your systems and built processes, you end up with more policies and modified systems and processes. And it's continual. When I first started out in this industry years ago, I didn't really pay much attention to process and adopting a methodology.
And now as I've progressed through my career, they're so important. Like I said before, using an ITIL or Agile or DevOps or whatever, use that process and that process adapted to your industry or your environment and stay on it. And you'll have a much better time maintaining your identity security or overall security footprint than you will if you just throw product, come to a consensus and then walk away. I've seen too many customers and clients who did that. And then the staff rotated and changed or the company morphed, and that system never morphed with it.
So unfortunately, it'll never end, but you can make it a lot easier by adopting process and staying with the process. Perfect. There's one more question. We have a couple of minutes.
It is, is the rise of SSID and decentralized identity actually making things worse? Like, why don't we want to centralize identity? Do you have any comments on that one? Yeah. So that's weird, isn't it? So we're talking about centralized identity management and consolidation, and now we have everybody talking about decentralized identity. So it's almost mixed messages. But the fact of the matter is, yes, these are going to be new sources of identity.
But I think what's key, and we need to integrate with them, and we're starting to do that and see organizations doing it, integrating to traditional identity, but we need to integrate with organizations doing it, integrating to traditional identity access management. But that promises to simplify a lot of the business process, especially around third parties. And the other great thing about that is it's worthwhile introducing this new source if it's trusted, if it brings a really strong notion of trust, which is one of the things.
So we're going to see more and more, I think, of trust measures spread across this identity landscape that we've got. And decentralized identity self-sovereign is one of the ways that that's starting to manifest itself. And actually, the term is misleading, right? Because decentralized identity doesn't mean there are no centralized repositories of those identities.
There are, right? It just means that the user gets to choose when they expose it. So the management is still centralized, even if we've distributed the usage. So it's a great question in terms of terminology and where that stuff's going. Understood. I think we're right on time, but we can still go for one last question.
I think, Rob, you mentioned it earlier during your presentation, but if you can recap this one, is cloud-based IDaaS the solution to identity sprawl? Well, I mean, the short answer is no.
I mean, not in itself, right? If you've got behind cloud identity infrastructure as your way forward, then that's great. You've made a decision about that. But everything we've been talking about, federating the teams, working out the processes, figuring out the authoritative sources, all of that hard work has still got to go.
Hopefully, we'll enjoy benefits from cloud-based agility, supportability, all of that good stuff. But in and of itself, it's not going to solve that. And in fact, some organizations, if there's one type of data there, where are you putting in the cloud? It's their identity data, maybe also their chat, GPT data as well, IP types.
Yeah, I think it'd be limited to the type of industry and the size of your business and how you can buy. But I suppose the short answer is no.
But hey, if that's your strategy going forward, go for it and get behind it. Yeah.
Thanks, Robert and Rob. I think we're right at the end. No more questions. Thank you for your time at this webinar and to everyone in the audience who joined us as well. Thank you for your time. Thank you.
Thanks, everybody. Thanks, Natasha. Thank you. Bye.
