KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Thank you so much. So just, just a bit about me. I have been working with IM for more than 15 years now. I work for NXP.
However, the views, which I share here are completely my own. The best way to reach me is through LinkedIn. And I am totally available for any questions, even if we don't have time here, if you want to talk about it through LinkedIn, just just message me there. So today I'm going to talk about, are you building a legacy IGA?
And when, I mean legacy, I, I mean, old and traditional IGA, so you must be thinking, you know, why I'm coming and making a statement about questioning your IGA solution. But, but before I go into a lot of depth, I wanted to talk about a few facts, right? So the first fact is just with 3000 users and hundred of application, the cost to implement IAM, either you want to build a self built or cost it'll cost you more than five to 6 million, right? And then of course we do have more users and more applications and complex infrastructure. So the cost is definitely high.
And if you build something bad, which is not useful, that cost is still very, very high. The second fact, which I want to talk about this, there was a survey done by Gartner recently, and these are the percentages which I'm going to address in my, you know, that's where I want the you part comes into play. So I want to refer them as the you here. So Gartner reached out to around 400 plus organizations to talk about their IM solution. And 24% are, are okay with their IGA. Probably those are the groups we need to reach out first to check if they are right in their thoughts.
The second, the 26% are thinking it's, it's very expensive. And of course I talk talked about how IGA is costing five to 6 million. So it definitely very expensive. And 31% are ahead of the game where they know that their IGA solution does not address their current requirements. So with this facts, I want to talk about when I say you is, is all these percentage of companies which are building legacy and how will, you know, you are building a legacy IM if your IM program or project is multi-year and you have not realized your ROI yet, if you are still solving your traditional problems, right?
Which is maybe automate the provisioning life cycles, or maybe get rid of your help desk with true self-service, you are implementing a heavy monolithic architecture of, of these products, which are available. And just, just a story here.
You know, I've worked in various implementation of I am and we, we spent millions of dollars to stand up and we are still onboarding applications and assets to the IM solution. And what we came to know is we have a new release coming up and we have to upgrade. And that was a total.
No, no, because we spent millions of dollars in this release and we have still not realized ROI and we have to ask for more funding to upgrade. So, so it, it, what I'm referring is it builds technical depth, right?
So you, you build something which is hard to upgrade, which is hard to maintain very poor, poor user experience. And then IM products are meant for IM functionality and not for user experience. So definitely there is a lack there, and few of the cybersecurity risk are not getting addressed, right? So are we going to the cloud? Are we protecting cloud? No. Are we doing just in time? No. Right. So we always provision static accounts. What I'm going to address is if you are building a legacy IM, then I'm going to structure our conversation into this five pillars.
And we'll start with the first one. So I, I think like an IM program, I think we get it right here. We start with a roadmap and we start with a strategy. I would strongly suggest to use that same fundamentals here when you are building your IGA, make sure you know what your fundamentals are and you do it in the right order, but mean you're doing it. Please keep checking current status. Right. Do you do the benefits really apply? Are you looking at the ROI?
Is, is your business. And it strategy seen, right? Because we are solving it problems and business problems. So we have to be in line with their strategy, right? What is their automation strategy? Are we alignment? Does leadership support your program is their full commitment from them. And of course, budget I'll come to that in little later. What are the trends? Where is the competition going? What are the trends, which we should be aware of? What are the new features, which we may not know, or may not have explored, which may help us.
And then the most important is have you communicate what you are thinking to do with IM strategy across? When I say across do business, people know, do it, people know, does the people who implement your IM program, do they know? Right. So it's very important that we communicate the strategy.
Well, because the more we communicate, the more people are aware that we may be heading in a wrong direction and then somebody will make, make a call. And then we brainstorm more, right? So these are some important strategy point, which I wanted to make. And if you think of it's time to modernize, of course, you have to start with a roadmap and you have to start with a business case. So even if you have planned to replace that's, that's your start starting point, I'll move to budget and ROI.
And I've spent a lot of years figuring out what is a budget and have issues with the budget most of the time, right? So if, if you are not realizing your ROI, something is wrong, right? And then some of the reasons for that is because IM programs are long enough, three to five years and maybe more right.
And we, we, we are lost between how much of re risk reduction we are doing versus of how much of productive productivity improvement we have done. Of course, we don't have benchmarks because we are implementing IM first time, while in the three to five years journey, we never look at the changes which has happened.
Maybe the, it cross has decreased. Maybe few things have been automated internally. And we have never adapted that.
Also, what we don't include is how IM will enable business, right? What is the cost will IM have to do? So to start something new, of course, IM has to onboard again in their it solution. So these are few reasons which I could make out of why you are not realizing IE ROI. And then to ask for budget while you are in of how you are going to migrate. Like I said, start with the business case, you may not have to ask money. You will have to just relocate your money through prioritization. You share your cost with it and business because you are solving their problems.
When I say there, you know, of course they will see the productivity improvement. They should realize ROI in their work. So sharing cost with them, whatever you get, please build it very wisely.
You know, look at their fundamentals, make sure you automate everything which you built. And from day one, you should have a lot of solutions or designs of how to do integrations. You have to do a holistic approach. You have to think maybe service now is there. Then I have to integrate with service now, right? So maybe if there is cloud, then you need integration with the cloud. So that thought process has to be built in beforehand, not later because the more you shift to the later part, the, the cost increases and we will be short of budget.
And then this, this is a very, very easy one, continuous prioritization. I just wanted to make sure we know about it. So like every SRE from Google or DevOps, I think all these best practices tells that change is needed and should be gradual.
It, we don't believe in big back change the, the smaller and the more frequent changes you do the better to realize benefits and prioritization is key. So I, I strongly recommend to follow these three, three principles in your prioritization journey. And of course, like I said, it's all agile DevOps, SRE concepts do apply in IM excuse me. So the so fifth point, I wanted to capture a bigger umbrella called integrations. And I spoke about it, meanwhile, in earlier slides, but, but what, what is the current landscape now? Right?
We, we have seen that people don't have a network or, or parameter defined, right? We can log in from anywhere into our office workplace and work from anywhere. A lot of companies are going for cloud environment, maybe a hybrid, or maybe just, just public cloud, right. And digitization, we are having multiple devices with us. And then we have to start thinking about how users and devices are related, right? And these devices could be B by OD, right during your own device. So things have changed and we can't work with the same idea, which was 10 years back in this environment.
So what worked earlier, doesn't work now because we have more tools to integrate. I've not talked about API, right? Maybe IAM should not do user interface at all. Maybe we should use user interface of the products, which are good at it, right? Maybe ServiceNow, maybe we should look at how do we, when we make these integrations, we have to automate, right. We cannot have manual processes or where a engineer or a support Analyst looks at data and then decides on what to do data integration, big, big challenge.
Of course, we have now security event monitoring team. We have a soft team. We need to make sure we have the right data flowing to them. And the data integration flows from multiple applications towards the security incident and event monitoring team hybrid, cloud architecture. We IGH products are still struggling to think about how to support cloud, right?
And, and every company is now looking at maybe office 365 with Azure ad or AWS or Google cloud implementation. So what are we going to do there? And as we build this integrations, what we generally forget is KPIs and failure modes, right? Where are we testing those failure modes? What happens if the integration don't work? So that's a very, very key thing in, in my, in, in this journey, the fifth one is modernization, and this is one of my favorite one. And I was thinking about the list was growing and growing. And then I have to push myself to keep this list smaller.
So what, what is modern? And I've been talking about, you are building a legacy traditional IM so what should you look next? Sorry. So passwords, right? Move beyond passwords. We are going in a password, less environment. So we have to move beyond passwords. I talked about why a static account. Why not just in time? Why are we not leveraging API or ski based provisioning anymore? Have you thought about how to enable mobility? And in terms of link, the users with devices through it, are we storing the user context and user context is going to be very, very important for zero trust.
And as we decide, the risk scores, risk score based authentication will depend on how the user context is built in maybe privileged users will have a, a more context to gather than the normal user. What about the implementation part of I IGA? Right? Can we look at microservices based architecture rather than a monolithic architecture? Can we expose identity services through APIs and let other integrated product consume the APIs to make integration and an automation really fruitful analytics, AI machine learning.
Of course, we need a lot of data. We deal with a lot of data. So of course we need to run analytics to make sure we understand if, if there are, for example, if we have a team of seven and six of them have similar access, then why is the seventh one left out? And if the seventh one is having some additional access, then it means maybe it's historic access.
So I, I think those kind of analytics has to be presented in a dashboard. Maybe those are my KPI's care rise to track IM IGA functions, scalability of IGA is, is a big, big problem. And I have faced this issue multiple times. And maybe for that, I want to move to cloud and have look at ideas solution to help me scale IM then what about DevSecOps? Right? Excuse me. So a lot of products of IGA ask me to configure changes in the screen in the UI where I don't, I want everything in a code so that I push the code using my C I C D pipeline, bring your own identity.
And, and this is a very new concept and I really liked it. Why do you have to store your identity in your infrastructure? Let the user bring his identity from a trusted provider. And we just trust and then provide access. It's very similar to Federation, but, but more, more the identity terms captures more data and customer IM. So we have customer IM was mostly managed by marketing, but I, I think recently customer I am, it does make sense for IM team and cybersecurity team to manage customer. I am now.
So the list was very, very long and I have to really cut short because of the time limits, but there is lot, you can do a combination of active directory. What are you going to do with your directory services is, is LDAP and ad the right way to go. Maybe you should look at more modern solutions.
So, so how do you go about this change? Right? So my first recommendation is mindset change. And once you have the mindset and you agree that you are building a traditional IGA, the, the focus will come automatically to move to the next or modernization journey. So the first point is focus on progress, not perfection, because remember I said, small and frequent changes, and you may not be building something perfect, but you are realizing benefits early on think big picture, be agile and flexible. I've already spoken about it.
Keep your security principles in your pocket all the time, because that's, that's your backbone and you can't be without them. Don't run away from cloud embrace cloud because that's going to stay and then make sure you understand your business needs and choose the business requirement, which impacts the most, and then prioritize that first. And of course, no big bang approach works here. So one step at a time. So that's what my recommendation is, how you will go in this journey.
Now I would ask you to ask yourself these questions, right, is, is what's your current requirements look like now, does it make sense with what you are implementing with your idea is, is your it team moving to cloud? Is there, is, is there a journey you are prepared for? How will your IGA solution look like if we have cloud in place, we have few modernization in your it team. Will it meet all the needs? Do you need something else?
Will, I don't know, maybe you have to think of another solution or a plugin, or maybe you have to decommission certain things and then how will you migrate? And by when should you do it? So these are some of the topics which I want to leave you with to think about how you want to modernize your IGA. So just towards the end to summarize, I want you to have a very open mindset first, except that traditional IA is now a legacy. Please start looking ahead ahead of the game and start thinking of what you are going to, how you are going to migrate.
Maybe add on, maybe migrate, maybe modify, right, and make your own evaluation, your prioritization, and then migrate or, or adopt. So that's, that's about it.
I, I did have a very bad voice. Sorry about that. But I'm open for questions.
