KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
And of course, thanks the audience for joining this interview. I hope you had an interesting event so far, and as any already mentioned, this interview is basically part of a series of sessions where I will talk in each and every Casey life event to sea level experts and practitioners about their current challenges and approaches in either cyber security or identity and access management.
I'm Kel, and I'm the CEO of co code. And today I'm very proud to have a very senior guest who interviewee together with me, Dr. Schneider from Alexei. Welcome. Thanks Beth. Take two. I I'm sure we don't have to introduce the S group to the audience because as one or the largest insurance company globally, I would assume most people have a good understanding of what S is about, but I know that a number of people in, in the audience are young professionals and they, of course, they are always interested to understand how was the career going of a senior person, cetera, cetera.
So I would really appreciate if you could kick this off with, if you explain a little bit your role at L Young's group and perhaps say also a couple of sentences to how was your journey to get where you are today? Oh, thank you, Patrick. So Alexei let's start from education. I am AIAN and I had have a PhD in computer science in databases. And before I joined S in 19 95, 19 95, I was in consulting company. Yeah. So this is my background. And then I was more or less, more than 20 years. It executive.
Yeah, I, but I joined also sales department of them. So I know a little bit the it of coming from the front office, it system, the back office, it system, the infrastructure. And I would say the real hot topic of my career was when I was promoted to the first CIO of Alliance Germany. This was the whole live insurance PNC and also health insurance. This was five year from 2006 to 2010. And then I joined the group and was the group CIO in January, 2011. So nowadays I'm more than 10 years group CIO of our young. And we did a lot of cool project in this times with great teams.
But what I want to say is at the moment, I, I'm not only the group CIO, but I'm really focused on, on it, governance it strategy and information security, you see steering governance and information security just on the hottest priority of the group CIO.
And by way to manage our, ya, you have not only to manage more than 300,000 it and points and more than 150,000 employees, but we are organized in 60 operating entities or business lines with each and every have a full board distributed over the whole world and therefore how to steer and govern and take care of information security for this whole group. Yeah. Yeah. This is a really big responsibility.
And, and just reflecting on what you just said with, with all the subsidiaries, with all the branches, with all the, the branches in other countries, the different departments, cetera, cetera. So that's probably quite fragmented. And of course also since ANGs is a very, let's say an accompanied with a long tradition. When you introduce IM there, you never start on a green field, you always carry some sort of legacy with you.
How, how, how difficult is it to let's say create, establish a more centralized identity, existing management in such a complex environment like S As I mentioned before, we, I was the CIO of a Germany and we have in Germany, we have 27 legal entities. And in, in Germany we have harmonized and standardized identity and access management in Germany before 2010. And therefore, I would say this was more or less harmonized. The real big issue started when I come to the group because of 60 operating entities.
Then you can imagine you have each and every OE, another local identity and access management. And I have to say in some operating entities, you had no harmonized identity and access management. So to speak. It was the challenge that we started in thousand 11, that we have to invent first of all, a global identity and access management, but also harmonized local identity and, and access manage technical term red forest concept. And so on how to, to standardize this, but not only have we started.
And this was when all these cloud are coming and all these shared services, you have to, to start also in per with the global privilege access management, you want to go in security, you have to harmonize both the identity and the, and access management, but you have to introduce also the privileged access management and for security. And so we are on the same page. This is the topic zero cannot go in. This environment is the proper identity and access.
Yeah, I will. I will come back to the two aspects of on the one hand cloud and, and privilege accessment in the second. But before that, I'd like to ask you D question, of course, we always talk about identities. So which are, who are mainly employees, but I would assume also partners and, and, and other relationships. Can you say, okay, how many HR stores or identity stores does Alexei have? Is this just one center one? Or is it multiple, multiple stores across the globe of, to sea? You can imagine a Yas is operated in each and every part of the world.
And we are growing also organically grow also merchant activity. So therefore you can imagine what's happening in Germany. We have consolidated the HR system there. We have one, this is our largest operations, roughly 20% of the overall business, but all our operating entities have their local HR or identity store. Yeah.
Therefore, you know, it perfectly, but we have not only the identity store from, for the internal, we have the identity stores. You have to think about also for the external and then your, all your, your partner system, the agents for any insurers or the financial advisor.
And last, not least what always, and each it colleague know this, you have also the technical user and you have not to forget all of this issue of identities of technical. And this is pain in the neck. I cannot go. And 60 times times, and this was really our challenge. Yeah. Yeah. And of course that is adding another quite significant piece of complexity to the story. Because when, when I think of people moving from one country to another, or from one part of the, of the company to another, where, where they have to change stores and everything, then this is always difficult to handle, right?
Yeah. So to have, and young is highly regulated from the ING and so on, and like the banks, and you have to show the regulators and also our internal audit regime.
And, and so you have to say that you have the proper move and lever process, and you cannot avoid, and you have to check and to ensure that each and everybody has the minimum set of exercises and no, no exercise of the past when you join, this is really make the point. This is really a hot topic. When you check in, in one, check out in one HR system and then check in in the other HR system, or you be moving in this end one HR system. Yeah. Let's talk a little bit about roles and responsibilities in, in Alliance when it comes to access.
So who at the end of the day decides and approves whether or not someone becomes a certain, right. Is this typically the line manager, is this typically someone, a role manager or, or how is this, how is this handled? Can you shed some light on that? We have at first of all, the identity two ways, procurement at contract issue, we are define the identities of externals and identity of internal is done by the HR system. So we have the identities. Now we turn into the next step access management and what we have, we have for each and every application.
We have service application owner, which manage this, and then we have also roles and roles in a HR system. And then you get the roles, you get a specific sets of access rights, for example, mailing for, and storage topic and so on. And then you need an additional access rights to an application. Then you have this normal set of code you have to order and this and send it to call authority ation.
And this, or this is done by a line manager, a line manager for this application to allow, yes, this employee has tool, but line manager cannot give the right by themselves. This is done in a second for, yeah.
So it's, it's a strict governance process around granting and approving access rights. So yeah, if the exception, when you get a role and if the role are access right associated, then it's done fully, automatically, because then is the check done by the role yeah. That you get the role and you approve the role, and then you set if, but you need additional access rights And are the same people who grant and approve access. Are they also the ones who on an annual or frequent basis? Re-certify these access rights is This, this is sent, and this is an obligation.
This recertification of exercise, they are sent to the line managers of the employees. And they have the task to check whether the access rights are the appropriate set of access rights. Yeah. This is typically not a very popular task. No. How did you convince everyone to, to, to take that serious? Yeah. This is also, I said before we have the it governance job, and also there is a compliance machine, and this is one of a topic that you have to be compliant to it. And this is a very, very hot topic for the line.
It's not an nitty task is a compliant issue when you are not doing as a line manager this properly. So it's a little bit really push. I have to do Very, you mentioned earlier the, the topic of cloud.
So what, what's your take, I'm sure you a is using one or more cloud providers and of course people will have access in the cloud as well. This is potentially ending another level of complexity. What are your experiences with that?
Yeah, there a very important topic is that you cannot go in the, you can go in the cloud, people missing identity and access management architecture. That that's not a good idea. I cannot disclose how many subs subscription accounts we have in the different clouds, but this is a quite number. And then now, if each, everybody is doing in different way, you would get your complexity explode. Therefore we have to take care that we harmonize this. We synchronize it. And you know, the concept of trusted, active directors and all the other staff, we are taking care.
And we have to, you have to have an architecture, how you manage your identity store and then how to bring together also with your active directors to get the real access. And by the way, when you feel going in cloud become all in the area of domain server connection and so on, and all these three main topic, active directories, domain, main services and identity stores and identity accident, to have to think about how to bring these very powerful systems together because they have to work.
This is the problem in identity, in access management, you need higher reliability, of course, and not always reliability. And you have performance. Yeah. Because when you say, oh, it's not convenient. And I have to wait until minute to get out identification of offer to have really an issue with the user. Yeah. But what, from your perspective, or also from an a young perspective, what's the next big challenge in terms of identity access.
So what's, what are your next plans to further? Go ahead here. What I see with Corona, everybody has understood. It makes not a lot of sense when you go in remote and you have not multifactor identification. So therefore multifactor out identification, I would say is now going everywhere, whether you are remote or in office or privileged access and so on. So multifactor out in the factor, ation comes in and pop sports. Yeah.
This, the second is what I see. That's not only identities for users are very important, but I see it's also for internals and partner. Now it's coming all the identification of your customers, your online customer. So you have not only, em, come now you have customer TM, customer identity and access management this next Porwal. And what I see the third foot is coming with the cloud and all these, the different assets has also identities. And you have to handle this. So applications has identities and you have also to manage technical identities.
It's becoming more and more hot topic because everything with everything connected now, systems speak with each other, and you have to take care that these identities is allowed that these systems as speak. But this is a very, very hot topic, but I'm a strong believer each and every actor in the system, whether it's a machine or a human being has to have to get unit identity and you have to identify, and that it's really the loser, which, which you think is the, My last question, will we ever be done with identity and access instrument?
When that, that was when, when I was on your end sitting in a, in a company that I was always asked, we have so much invested into identity access yet already, when will we be done? Will there, will we come? Will you come to a point where you can say, now I, everything is perfect and I'm done.
No, never, never, ever. And I have also an evidence.
It was, I guess, seven years ago with Snowden and so on. And cyber security was on the board level. Yeah. And also in cyber security, never, ever, this is a race against the hacker. Yeah. Therefore you will have never, ever this, this range race at the end, therefore in cybersecurity is on the board level. I would say in each and every company.
And now I, I tell you in ours, global Palm Q global attending access manager and cm is also on the board level. Yeah. Because also the board has understood that this is really, really important. Of course we learned in identity, you are asking the question, are we harmonized with all our HR systems, frankly, for not obtain to collect then all the identities for center. And so this is understood in that this is really hot topic. And now bringing together, this is the starting point of every it identity, access management each and every, it, it, it can be hacked.
So how we can imagine that we have any time status quo, identity management, never, ever, Right. I'm sure we could continue for, for hours, but unfortunately I think our time is now, now over. I I'd like to thank you very much for coming for sharing the insights, introducing yourself, sharing some challenges of, of Alexei. Thank You very, can I, can I add to the colleagues S listening when you take over the, the job office CIO and you will brave enough to say, I want not to understand identity access management, then I, my advice would be, look for another job.
CIO have to think about in this area and has good architecture that you, that you manage this it risk is really a risk in a company. I think you will, you will certainly find a lot of open ears for that statement, especially when they come from the mouth of a CIO CIO in this case from the S group rev.
Again, many thanks for coming. And with that, I handed it back to Annie.
