Hello. I am Richard Hill, a senior analyst at KuppingerCole. And today we're having a webinar about identity for all, not for the few. This webinar is supported by SailPoint and joining me today is Hans-Robert Vermeulen, Solution Lead in the EMEA region. And before we start, here's some quick information and some housekeeping notes, and then we'll jump into the topic for today's webinar. As you may have already noted. We have a series of upcoming virtual events, all in a very modern format with panels, presentation, keynotes, and much more.
The next upcoming virtual event is the identity governance and administration, and next generation access on September 15th, a virtual event, where you could learn about IGA its core capabilities and how to enable and protect the digital transformation with IGA and IGA solutions for service now of structures is on October 1st that focuses on it. Service management integration with identity governance and administration. Then on October 20th through the 22nd is the customer technology world 2020, where you can learn how to create a customer centric strategy for your digital business.
So there are a lot of virtual events is as well as other types of events throughout the year. So please take a look at our website, research, blog, posts, and videos, and now for some housekeeping, everyone is automatically muted. So there's no need to worry about muting yourself.
We will be recording the webinar, which will be available on KuppingerCole's website. Also we'll save time at the end for questions and answers.
The gotomeeting control panel has an area to type in your questions at any time in which will answer during the question and answer session at the end, with that, let's look at the agenda for today. I'll start out by talking about why identity and access governance is crucial for modern companies that want to succeed in digital transformation and why access management solutions cannot compensate for a comprehensive IGA solution alone.
Once I'm done, I'll turn the webinar over to Hans-Robert who will show how even small and medium-sized enterprises can accomplish big IGA projects successfully and put them on the right track for digitalization. Finally, as I mentioned, we will save time at the end for the question and answer session.
So I thought I would start out by talking about, you know, what all organizations face today, and that is digital transformation driving modernization of its systems to one degree or another.
And this could be due to changing competitive landscapes, rapid innovation in the market constantly increase in attacks against their information systems, as well as changing regulations or changes in organizations, moving from digital projects to services and to compete organizations need to foster that innovation while still becoming more flexible and agile as their key competencies.
And some of these changes that contribute to that drive to modernization are those intelligent production processes to improve efficiencies and flexibility in manufacturing, customer engagement, as organizations reach out to customers and gather information about to consumers who are using their products and services or the need to support the internet of things through to the upcoming 5g services or other industrial IOT modernization use cases.
So this could mean utilizing key technology, such as big data analytics, AI robotics, or even decentralized identities or other blockchain scenarios or use cases. So challenges for small to medium sized companies on their journey to digitalization transformation will likely include some increases in diversity of users and things with its assortment of identity types, the expansion of organizations, it services, or the adoption of as a service model where everything in the it world could be provided and consumed from the cloud.
And this increase in data sources, which leads to more laws and regulations that organizations will be responsible for the compliance of, and these businesses will be further challenged by the need, provide more and better self service capabilities to customers and employees, the need to increase the use of automation, wherever possible, giving the visibility to the use of company systems to provide or to approve compliance of, you know, who has access to what data and to ensure digital security across all their systems.
Well, at the same time, this increase of requirements for the organizations will be met with those limitations on, you know, available it resources. Or I am not being a core competency of that organization or not having the necessary skills within the business to carry out the changes or even the challenges of using services and identities in the cloud.
So looking at the KuppingerCole identity, access and management reference architecture, it consists of a variety of different areas or building blocks, which can be considered core parts of identity and access management under those categories of administration authentication, authorization and auditing, and on top of the core identity and access management functionality or what we consider extensions of IAM, such as the user behavior analytics under the auditing category.
For example, I am as further extended by adding features that are adjacent to different areas of it like a tie into an it service stacks, desk capability SIM, or even API management and security sense more and more security services are exposing their API APIs. So these are some of the areas of a specific relevance to companies and too often, small to mid-sized companies believe that this is enough to support their upcoming bow wave at those requirements that they're going to need in the future. And those other market use cases, but this is not always the case.
I think it's important to understand some things that are increasing pressure on organizations and compliance means conforming to the different rules, such as a hearing to organization internal policies or external laws and regulations. This could be hip in healthcare socks from the sorbet Oxley act to guard against that fraudulent practice in the enterprise user data protection like GDPR in Europe or your CPA in California, or other organizations use of information security standards like the ISO 2,701 or the other ISO series as best practices. So how do you show that you're in compliance?
You can show that you're in compliance through an audit, which is an inspection or examination of what you're doing or did to be compliant with these different rules. This might be done through showing the controls or policies and put in place and the access records or any other types of artifacts that they would need. And in the end, it's really the actions that matter. And you mitigate these compliance risks by adding compliance related capabilities on top of the basic security controls of I am.
So to summarize this organizations really need to ensure that they're in compliance with all the different rules, laws, and regulations, and of course, passing those audits by putting the right security controls in place and then using them.
So some common symptoms of an ineffective IAM or warning signs that identity and access governance modernization is needed is for example, when users complain that there are too many ways to request access, if you have several different portals that you need to go to access the different applications and services, then this may indicate an issue when new applications or services become available, such as a cloud target of some sort, and these connections aren't readily available. This can cause manual workarounds to get them to do what you need them to do.
There's always the lengthy user onboarding processes, as well as the incorrect mover leaver. And that revocation of entitlements can be an issue when you can end up with many entitlements that maybe you shouldn't have and not being able to deal with more groups of users or when going through a recertification. And there are many users with dozens of entitlements to go through, and you may not even have a clue what all these entitlements really mean can make that recertification bumpy and not very well liked by its users.
There's incomplete, inconsistent role models that can lead to situations where people get frustrated because things become too complex to do so. We have a variety of challenges for, I am an IAG that point to what can be avoided when you do access governance the right way.
So when organizations realize that identity and access governance is needed, the question is so where does IGA fit into all of this in the Cooper?
Nicole, I am reference architecture. IGA covers both the administrative and auditing categories here on the left, addressing that joiner leaver mover processes with identity provisioning, life cycles and having strong access governance for, you know, who has access to what entitlements for example is really what's important here. So the identity provisioning part of IGA is really about provisioning identities and access entitlements to those target systems.
This includes creating and managing accounts and access titlements in associating the accounts with groups, roles, and other types of administrative entities to enable entitlements and authorizations in those target systems. That identity provisioning is also about automating these tasks based on defined processes for creating or updating or deleting identity related information in the target systems.
And these capabilities are those connectors to the target systems.
It could be account mapping and identity models having that flexibility, but centralized data model that allows customization by customers for specific needs, workflow capabilities to support that request and approval process, or for automating the management of identities and access that user self-service interfaces. For example, for password resets or user manage, being the ability to manage their own identities, having that access request management or delegated administration features. For example, when you look at access governance specifically, we need to consider some things here.
So we need access to systems, and this should cover as many systems as we can across all the different deployment models. We need to connect to the systems wherever they reside. So the breadth of the ability to connect to the systems, but we also need the depth or the deep insight into how these connected systems correlate. And this is really where the technology can help us to do things better because this insight on how things relate and where problems occur, takes analytics and on what to do, which makes things much simpler and better overall.
And all these things need to be effective and efficient in the end, you'll need to deliver also focusing on what's really required and to automate where automation can be used or make sense. So identity governance and administration is primarily access governance and identity provisioning together. IGA relies heavily on connectors, depth, and breadth, as well as the solution's ability to utilize the user groups, roles, and other attribute information that's available.
For example, when that, when using that information within the identity and access intelligence capabilities, it can help identify the associated risk and provide useful insights that can improve the organization's compliance and overall security posture. Also the solution's ability to ease the workload through efficient workflows and automation features as well as user self-service is beneficial.
Finally, having a centralized, single pane of glass view of users and their access to applications and services across the different deployment models, along with metrics and insights makes it easier for organizations to really get a grip on compliance and their associated audits.
So some important features of identity governance and administration to consider right identity provisioning and life cycles.
We talked about the joiner leaver mover processes, the ability to provision identities, also access entitlements and other identity related information in those target systems, such as applications and services. Also other capabilities consider among others is the ability to access identity stores, data modeling, and mapping between the different systems as well as the ability to handle different identity types.
Another key component of IGA are the connectors, both the depth and the breadth that they're capable of handling consider both the number of connectors and the breadth of target systems that could be utilized, including directory services, business applications, mainframes, et cetera, and the capabilities that the connectors, especially when it comes to connecting to complex target systems like SAP environments or legacy mainframes, for example.
So that connect your breath also looks at the support for standard cloud services, the connector depth further examines that customization capability for connectors through connector toolkits, and their ability to use popular or relevant standards as examples.
And then there's the access and review support. This supports the auditing and ensuring compliance such as integrated access compliance or governance capabilities that support activities like the review and disposition of user access requests, certification, definitions, and campaigns also access remediation when violations are found.
So for examples, segregation of duty controls to identify and track and report and mitigate the Yesodi policy violations as part of that integrated risk management, as well as role management for policy management capabilities, and increasingly IGA is providing identity and access and college and capabilities, IGA intelligence that provides business-related insights, supporting effective decision-making and potentially enhancing the governance capabilities can include advanced features that use machine learning techniques that enable pattern recognition for process optimization, full design, automated review, and types of anomaly detection are also considered beneficial capabilities.
Other capabilities can include the use of user information from authentication and authorization events that are used in analyzing user access behavior patterns or detecting that anomalous access.
And then there's the use of automation is also increasing as organizations seek to become more efficient, which includes workflow and orchestration of security processes. And then finally is that centralized governance visibility.
This is a measure of the extent to which identities and access under governance control can be viewed in some kind of a consolidated or single pane view, such as a dashboard of some kind format. Also having that centralized access to reports and auditing is typically provided as well.
So some benefits of identity governance and administration are the ability to provide that visibility to user access and to ensure that compliance through anomaly or outlier type of detection, as well as identity, identifying those orphan accounts, certification, campaign processes, and trends, for example, being able to audit or support those audits to demonstrate, you know, an organization's compliance regarding their internal policies or external laws and regulations, for example.
And so to support that resiliency through mitigating risk and improving security overall and providing efficiency with workflows and automations that help improve processes such as faster on and off boarding, enabling self service as some examples. So I think I'll stop there and turn over the next portion of the webinar to our guest Hans-Robert.
Yeah, let me, let me get started with maybe a little bit of an introduction of my history and a bit of a trip down memory lane.
I, I want to talk about a few significant changes in identity that ultimately have led us where we are today. So I'm going back to 1992 in his picture, and this is the, the haste 9,600 bout modem, which at the time was the fastest thing that there was on the planet to be able to connect to the internet over, over an ancient phone line. This was at the incredible speed of 9,600 belts, which was about 960 bytes per second. And that's not kilobytes, not even megabytes that's that's individual bytes.
So I guess if I wanted to load up my favorite new site today, that front page would probably take about 15 minutes or so. But anyway, this is significant to me because it's the first time I remembered that I actually had to enter my credentials online.
The first time I had to use my identity was our to be able to access the, the internet itself.
Now, before joining soap point, I worked for Novell and by two thousands, a lot had already changed and Novell released Derek's ML. And that was one of the first products I got to work with, which addressed the challenge of what then was pure identity management at a broader scale, because we started to onboard more and more applications typically into our internal networks, but it did require us to manage the accounts for each user through some form of automation. So essentially provisioning was born and it kind of went mainstream not long after that.
So I guess another where the industry was rethinking identity. And for me before my baby steps into the world of identity management that led up to identity governance. So why is this important, other than telling you a little bit about my backgrounds, identities ever revolving 20 years ago, identity governance didn't even exist.
Identity management was 100% focused on account level management with very little fine grain Xs rights management. On top of that, it was almost exclusively in area also for large enterprises. Certainly it wasn't top of mind for medium size enterprise.
It was just too expensive for them to do and then maintain. But the law has changed since two thousands. Every company these days has to deal with more and more identities, right? We're not just managing our own employees. We're collaborating with customers. We're collaborating with business partners instead of dealing with our own internal users. We now often have to deal with thousands of additional people that have access to our systems for which we are responsible to protect their identity. Often there's more than doubles. The number of identities.
Sometimes it's more than tenfold or, you know, a thousand times the number of identities we would need to manage internally.
There's many more applications that we have to manage cloud adoption, obviously a spiraled and people buy and adopt tools at quite alarming rates. Even if I look at your sell point, we're about, I guess, 1300 people. Now we have over 200 cloud applications and that there's a lot to manage that there's a lot to control access to. And then of course, Richard already mentioned it, but there's a regulatory pressure.
Now this used to be exclusively for banking and finance and listed companies, but especially with GDPR identity governance has become a challenge for all of us, large, medium, or small enterprises. We all have to put a governance program in place and it is virtually impossible to get it right without the proper tooling.
Now, one problem that comes with a high number of applications that we need to connect to can be solved by single sign-on, right, getting access to your application in the first place or access management solutions, as they're also called.
And their adoption has also spiraled. Many companies have invested in SSL solutions to make sure we can all access these applications in a secure yet very simple way. Now. So point obviously integrates with all of them, both from the point of view, as well as from the governance point of view.
But I just want to highlight that SSO solutions are mainly focused on authentication use cases. And while some of them have adopted some basic life cycle management elements, they do not focus on authorization depth, much. They especially have challenges around the management of fine-grain entitlements within applications. And in fact often do not handle mover or lever processes in an explicit way, which obviously should be two of your most critical governance controls. So let me explain why identity governance is different through an example.
So I've got a sales rep and in this case he needs access to a few applications, but let me just focus on Salesforce here.
And SSO solution will authenticate me and grant me access into the building, so to speak, right? It opens the front door for me. It may even be able to create my account on the fly for me, but it's not enough to just enter the building and have an account for Salesforce. What Ida adds is the ability to determine what rooms within the building should be available to you.
In other words, in this case, the sales reps access to Salesforce should be limited to just his territory, UK, to be able to read contacts and create deals. This is the principle of least privilege. That is something that is mandated by regulations like GDPR. And obviously as I move, my excess needs to be revoked, new access needs to be grown. That's where if I move over from UK to Germany, I should no longer have access to read any contact data or create deals in the UK. I need that level of access within the German region.
It's very important that I maintain lease privilege.
When my role within the company changes in the same fashion sales person should be able to see his commission, right, but not calculate them in general. There should be a clear separation of duty between the person that can approve commissions or can approve any kind of incoming invoice and a person that in this case based commission or the person that can approve any guide, outgoing payment.
And again, that's not just the best practice that is required by many regulations and many accounting best practices. So identity governance is more than just creating an account or granting access. It's about making sure each person has the access to only what they need to do to do their jobs without causing unnecessary risks to the organization.
So now, if we're all aligned on some of the challenges that Richard also mentioned, and some of the things we've seen, let me start by sharing with you.
Some of the most important lessons that I have learned over the last 20 years while being in different roles in that identity space in only three slides, I'm going to highlight what I believe to be the most important elements to a successful idea deployment for all, but especially for mid enterprise level, stick to these rules and your chances of running a successful project will increase massively.
First one, success is not measured by the number of technical features that you have implemented. And especially for smaller organizations, you have to understand that less can be more focus on the desired business outcomes, and you will be able to come overcome a lot of technical objections. Don't boil the ocean, right? You should all focus on the chief of book goals for the company and your governance program. Sometimes that is not very sexy. Sometimes it can actually be pretty simple.
We have examples where we deployed phase one of our governance program in just a few weeks time, and those are successful and happy clients. Sometimes it looks like technical people just like to make it complex. And they often do so by looking at all the potential functionality they could implement to make their life easier, or that are offered by the tool because it's cool to use it all. Now over the years, I've seen that natural behavior lead to the most customized solutions being deployed. Some of them absolute technical marvels, absolute brilliant implementations.
When you look at it from the technical angle, but when you look at it from a business angle, it simply was very costly to achieve. People have also spent 80% of the budget on roughly 20% of the functionality and many projects either got Kent or struggled to keep the products that we're using running for the longer term, especially when people with expertise left the company, or, you know, when simple patches turned out to take weeks to test and deploy, if only I could share the number of competitive replacements that SailPoint and our partners are performing each year, it's, it's, it's amazing.
And most of these are because people painted themselves into a corner through customization and simply could not do a simple upgrade anymore. So for every element that is not out of the box, you really should be asking yourself a few questions. Is it a nice to have, or is it an absolute must have, is it on a critical path for successful delivery of the desired business outcomes or, or isn't it? And what would really happen if we do not implement this customization, but stick with the defaults or stick with simple configuration that is offered by the product out of the box.
Because if you find yourself spending more time on operating your environment, updating it, patching it and maintaining it rather than on running your identity governance program, something is wrong. You should be using the product. You should not be spending time on maintaining it to illustrate.
Here's a good example that I've encountered many, many times. Let's just assume that the data feed from the HR system is missing one critical piece of information. There's two ways to deal with that.
The first one is that you can take the stance that you cannot change your process, and therefore you try to implement it the way you've always done it. You start building a workflow that basically pulls us. The process pops up a forum, Austin manager for additional input, sends it back to the HR team for approval and then continues the onboarding process. That's the technical approach that many organizations have taken. You can also simply acknowledge that the business process is broken and you can ask the HR team to include this vital information and move forward.
And trust me, when I say that, especially as a smaller or medium sized enterprise, you will be far better off changing your process. When it refer, you can then resorting to customization.
Second point I want to make is that you're probably not as unique as you may think. Now this might come as a shock to some companies, but really the processes around governance, access certifications, joiner, mover, and lever processes are not so different between companies. There is a reason best practices are called best practices.
It's because they apply to many companies, highly likely they're going to apply to your company as well. So if you dismiss out of the box functionality, because you've always done things in a different way and do not want to even consider to change the process, you may be heading for a very customized solution before you can say IGA.
Now, maybe this is something large enterprises can afford to do, but it's far from desirable and often the elephant in the room when it comes to the reason why a project has been abandoned over time or has stalled.
And the third and last point I want to make is don't think this is just another technical project. Sure. There there's a lot of technical stuff we need to do. We need to connect to your applications. We need to get things configured, but the goal of the program, because it's not just a project, governance is a full program.
The goal of the program is to achieve business value, reduce risk for the company. And yes, hopefully deliver a solid ROI return on investment as well for some implementations. That means your phase one is nothing more than simple connections to applications and some extra certification configuration, maybe not the technical Marvel, the it team was aiming for, but of great value to the company and realize it's only phase one to be successful.
You will need executive support to ensure that you can change existing processes when needed and, and where it makes sense to speed up the adoption of your governance.
To remember my example about missing data from the HR feed.
Well, executive support means you can get around the table and solve this as the, our team really owns this part of the process. And it's in the company's best interest. If they provide you with the correct set of data. So executive sponsorship really makes a difference here, but please also consider that governance is never done. You are reviewing Xs on a regular basis, and as you onboard new applications into the company, you need to assess what data they hold and if they should be proud on a governance or not.
Okay.
So that's it for lessons learned, let's discuss what SailPoint has done to really simplify deployment for medium size enterprises of what is in nature, a complex problem to solve that's a day. So phone has around 1600 happy customers, and that number is supported by an amazing 95% customer retention, which is extremely high in this part of the industry, especially when you realize that. And I guess about half the implementations, we are actually replacing competitive products. So there's a lot of failure out there. There's a lot of people that have painted themselves into a corner at one point.
Now I know this slide focuses on the big enterprises we serve and sure that is important in the market, but equally simple things about mid and smaller enterprises out there. In fact, that's where our science approach came initially into play. So punch being a clear leader with all the analysts for well over a decade with initially only identity IQ as our flagship traditional on-prem product, but for about five or six years now.
So bone has been offering identity now, the industry's first and in my humble opinion, still only true multi-tenant SaaS solution for identity governance.
And it's another example of where we were rethinking identity. So let's discuss specifically why we created identity now and what is done in the markets identity now is a simple to use and yet easy to deploy identity governance solution. That is always up to date, no more upgrade projects, no more patches, no more downtime, no more overseen costs. Every single client worldwide is always on the latest version. No exceptions. Now we currently have well over 400 SaaS customers and that number is growing steadily each and every quarter.
This is already a significant part of our customer base and IDM adoption keeps growing rapidly with that number of clients. True multi tenant size is the only ride business model to be able to do this at scale.
Imagine having to host update, upgrade, you know, over 400 individual clients in a cloud hosted approach, each with some level of customization, probably now, even with technologies like containerization, it just doesn't scale. And our robotically customers would suffer from that model. The more successful you will be in selling it to others.
I'm sure we all understand the benefits, the business benefits of a SAS model, right? No doubt. Each of you have dozens or in many cases, probably hundreds of signs applications are used by now. Initially identity now was exclusively focused on the mid-market enterprise.
In fact, our design goals were set out to meet requirements in that space. And we focus to bring core ITA capabilities to dos companies without the complexity of typical IGA deployment through a surface that is quick to go figure and could go live in weeks. And that is still what our identity now delivers today.
It is designed around best practices and it is very configurable. It takes away the need for costly customization because of these building best practices.
Now, interestingly, while IDN was initially intended to serve that mid enterprise markets, there's been a lot of uptake from larger organizations as well. And guess what? One of the main business drivers is for dos customers, less customization. They are actively trying to select a solution that allows them to steer clear of customization their solution. And in fact, prevents them from creating something that cannot be maintained over time that want to be on the latest version. They want to be able to stay current without additional cost and uncertainty.
And they're willing to change some of their business processes to fit, to, to make a happen. To me, it looks like Dave learned an important lesson. Now there should be a lesson really learned for all, but especially for the midsize enterprise, don't make it too complex, carefully.
Look at your existing processes. And I have an open mind about changing them for a smooth and successful outcome and all of these accumulates into this one slide.
Really, if you, if you look at these statistics, these are rolling, rolling six month numbers for the surface, all of it delivered zero downtime, zero customer upgrades, and no infrastructure for clients to manage. It's taking away a lot of complexity and that is a level of complexity that most mid enterprise or simply don't want to have to deal with in the first place. And shouldn't because it's not their core competency. They should focus on those things that make their business run and where they make their profits.
All of this is part of what SailPoint calls predictive identity.
Now identity now offers a number of modules ranging from provisioning through to separation of duties. But identity now is an oil that SailPoint has invested in sauce, Sparta, predictive identity, our core governance capabilities to pick that here in the top row are available as both SAS services through identity now, as well as traditional on-prem services through identity IQ.
Now, so point with the predictive identity strategy has invested in additional SAS tooling that leveraged a lot of artificial intelligence to allow our customers to move their Ida program into the next phase of maturity. And for some really into the next era we're providing, for example, valuable information through access history and KPI dashboards that allow you to discover how your program is performing, who is making both decisions, who has the most decisions to make what access is being requested the most.
In other words, where should our focus next to make things easier for people we're helping you build and maintain roles by suggesting new roles and soon suggesting changes to existing roles we're helping you, we're helping your managers essentially make better decisions and access certifications and approvals through recommendations, drifting off of true AI, which is a lot more than just a complex SQL statement. I may add.
In fact, if people start using our recommendations, we see that the number of refocuses and excess reviews are going up drastically as much as 30%. And the interesting thing there is that means your excess governance program has just become more efficient and is actually achieving its goals much better than previously.
We've also added specific cloud governance capabilities to allow you to have full insight into who has access to what within your AWS Azure and Google cloud platform environments, even when an excess is being federated, when technically no loo local user might even exist on my platform, we can still provide you with that view.
We will be able to tell you what roles are not used, what users are over-privileged allowing you to strive for least privilege access within those critical environments as well.
We're also allowing you to securely orchestrate credentials to your cloud, virtual machines, rotate your passwords and keys and discover new virtual machines and bring them on the management in a fully automated way or with cloud governance. And finally, SailPoint has also delivered final access management a number of years ago, which has delivered as a traditional piece of software that allows you to securely manage access to your sensitive data and files in the cloud, as well as on-prem in short sell point.
We'll have you covered from your very first step into the world of identity governance, right down to the most mature and as false requirements that any company may have any company of any size. So that's it for me. If you want to learn more, obviously feel free to reach out. You can need to reach me, or you can email inside sales emea@SailPoint.com or just visit our website. I'll hand it back to you, Richard.
Thank you. So now we reached the question and answers section of the webinar. As I mentioned, the recording of the webinar and slides will be available on the KuppingerCole website.
If there's any questions on your end, don't hesitate to enter them. Now, the go-to meeting control panel has an area to typing your questions at any time. So let's start off with the first question. So you mentioned that AI is the next big thing in identity. Do you feel this is also needed for mid size enterprise level customers that's putting his IGA program in place?
Yeah, I certainly
Certainly think it's a F it's of great value that, that the simple fact is that AI can do what no human can do. And that is look at large amounts of data and analyze them.
And again, in ways that no person could. So if you look at what we're doing in that space, it's, we're basically looking at every single user, looking at all the access they have, and we're comparing them to every other user that has a piece of that access. And we see how they relate to each other.
Now, just imagine there, there are four people in a room. If I want to look at every unique, possible combination between them, I've got, you know, 12 different parts that I need to discover, but if you say I've got a thousand people that's already close to a million, and if you do that for all the Xs, those people have, you're looking at many millions of potential connections that you need to, you need to refer.
So you need to go calculate a, you need to go through, but based on that information, you're getting some great insights.
And there's a few key things where I think especially mid-market is going to be helped alongside, you know, large enterprise. It is those recommendations that I mentioned earlier, recommendations really help to give you the insight into why we feel that this piece of access is inappropriate. And it empowers people to actually hit that revoke button. Because right now, very often people are presented with a lot of decisions and extra certifications. And we can certainly simplify that for you, but still people are hesitant to hit that revoke button.
And the other thing with AI is because of the insights we have because of the analysis we can do, we can start helping you build better role models, which obviously leads to less decisions because roles can be automatically assigned. Roles can be requested in one, go, instead of needing to understand what are the individual components that I would need to request for proper access into an application. So roles are really the way to go yet. A lot of people struggle getting roles in place or hesitant to walk down that path because of complexities.
So those are two areas where I think AI is critical even for smaller and mid enterprises.
Thank you. So the next question, you also mentioned complexity cloud platforms like AWS or Azure or Google. Can you elaborate a little on that or what are the biggest challenges people are facing?
So I would argue the single biggest challenge people have there is, is it has to do with the amount of change. Those platforms are so much more dynamic than anything that ever happened in our traditional data center. And then there is lack of visibility.
If, if you look at Azure or AWS or GCP, and you just want to answer the very basic question, can you show me who has access to what there's, there's no one reports you can look at. There's no real good visibility that you typically have over that. This is again an area where we've, we've added some AI components to be able to tell us that, because in order to answer that question, show me how this entity could be. A user could be a Lambda, could be your virtual machine. Show me what access that element has to, you know, all other elements within the environment.
I really need to traverse every single policy calculate every potential access path to be able to truly understand what resulting access that that entity has. So it's not just limited to two human identities, it's it goes much further. That is a problem that if you talk to a dev ops team, they may not see it as a problem. They're measured on the speed with which they can deploy changes. But if you talk to a CIO, AP is definitely top of mind for them on how do I get control overdose environments?
How do I even try to understand really how access is granted and who is actually using that access, which is another important point. Those environments are so rich and privileges. You're talking about users that would have thousands of individual privileges, and then that changes on a continuous basis, right? So how do you, how do you get in control? The traditional way of certifying access every six months is, is, is, is, is, is not going to cut it, right? So you have to come up with a new, innovative to get in control on those particular environments.
And that's where again, artificial intelligence is helping us to, to achieve that.
Okay. The next question, one of the big challenges for any IDM or IGA project over the years has been to onboard applications, has standardization helped there in any way to remove some of that complexity?
Yeah, it absolutely does. You, you actually mentioned this as one of the key points in your presentation, right? It's it's connectivity is absolutely key to onboard applications.
Now, now people have choice, not everything needs to be automated. Sometimes you, you have an application that may have only an oh five users change over the course of a year. Why would you want to automate every change to that, to that application? It's perfectly fine to go through the help desk yet from, for example, the GDPR perspective or other regulations. It is super important to run regular access reviews.
Well, you know, you're perfectly fine to work with a CSV file for that application. So be smart about how you connect and what you want to do with that application. But on the other hand, especially now we're talking, you know, 90% of new applications, maybe 99% of new applications being cloud applications, and definitely rest API APIs have become more mature.
Most cloud applications, most vendors understand they need to provide proper tooling and the skim protocol as, as, as really driven adoption, they're making it easier to connect those applications by having a standardized way of reading user information and granting access. So that obviously cuts down on complexity and connecting to those applications. And that has helped tremendously as well. Yes.
Thank you.
And then the last question that we have on our list, most business cases for identity projects rely on positive ROI, but with IGA, like with security, there's a lot of focus on risk reduction. How easy is it to quantify or, or that cost savings? Is that really still the most important element?
Yeah. So that's a really nice question. Certainly most of the projects I've been involved in the business case really started from, if we can prove we're saving money, you know, we're going to fund ourselves and it is important to companies and there are a lot of efficiencies to gain.
I always say, when I talk about what SailPoint does that we're basically selling tree things, we're selling absolutely risk production. We're absolutely selling efficiencies by automation of joiner, mover, leaver events. You can save a lot of help desk calls. You could save a lot of money.
You can, you can absolutely achieve a good ROI, but importantly, there as well is we're also selling an end user experience and the end user experience of onboarding or doing something simple, like a password reset across applications very often today is, is horrible within organizations. And I think that is one element that many people overlook.
But if you look at kind of dose tree access, risk reduction, return on investment cost, savings, efficiencies, and user experience, I think if you throw them together, you will see, you can get a most of the business case together on either of them.
One of the things I try to educate people on also is there is a difference between what the whole industry talks about joiner mover, leaver fairly often in kind of the traditional sense of identity management. That is how it, people typically look at it. I first want to solve the Jordan a problem. Dental want to look at mover dental, want to look at lever. Why? Because that's where I say most of my time.
But if I look at this through the lens of a CSO or CIO, and I look at it from a risk-based perspective, I say the most important element there is the lever, the rest of these just costing us money.
Lever is the biggest risk, right? If I get basically caught with my pens down because I'm breached because someone has left the company, basically we failed to do something simple as locking their access. I'm not going to get a discount on my, on my fine when we get breached.
Now, if you look at them, the mover problem, right? If you solve that, you've actually also solved the joiner problem. So looking at it, people at that often want to want to tackle it that way.
I say, if you turn it around, you first focus on lever. You show a mess of risk reduction to the company at, at virtually no cost. From a project perspective, you get that by just connecting to applications, you get this kind of free of charge if you want. And then focus on adding in more functionality and focusing on the cost reductions.
You are going to not just have a good business case on the ROI, but you're also going to be able to show value in a really short amount of time. That definitely appeals to the CSO CIO level of the organization.
That combination, I think is ideal to start focusing the business case on not just the cost aspect, but overall you can definitely achieve a positive ROI. And, and that is something that, you know, we've, we've often helped customers with, with a business value assessment that give them an insight where to look to turn up the right numbers.
So, you know, we, we're helping a lot of prospects that way as well.
Okay. We're coming to the end of our time that we have for today. So thank you all for who attended the webinar and we hope that you will see you soon at one of our upcoming KuppingerCole events.
Thank you, Hans-Robert Vermeulen, for your presentation and to the audience. I hope this was of interest to everyone. All right. Thank you.
Thanks Richard. Thanks everyone.
