Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm the director of the Practice IAM (Identity and Access Management) here at KuppingerCole Analysts. My guest today is one of the founders of KuppingerCole Analysts and the Principal Analyst here at KuppingerCole. Hi Martin.
Hi, Matthias. Pleasure to be back in your podcast.
Great to have you. And Principal Analyst is important because we want to kick off a new sub series of this podcast, as analysts usually by the end of the year are issuing a set of trends and predictions for the next year. And we are heading towards the EIC, the European Identity and Cloud Conference in May in Berlin. We want to do something similar, but different and of course better. We want to start with what we call “Trends and Predictions” for the upcoming year, and we will do this in a regular fashion across the year and to make sure that we cover important topics while they occur, while they get more important, while they gain traction. And this is why we're here today. And today we want to start with the first trend that you have identified that you have worked on, where you have published already materials from different perspectives, from different angles. We want to talk about the integration of IGA and data governance. What is the main trend that you see behind there? What is the prediction, especially?
I wouldn't use the term trend here to be honest, but it should become a trend. I think it's more about a gap that we need to close. And so my prediction at the end is that the awareness of this will rise and when awareness rises, we will see demand for solutions and in consequence we will see the solution. So we will see it emerging, it is important, but it is, I would say, only very partially here yet. Maybe I take a bit of a longer introduction here. So I think many of the people listening to this podcasts have some good familiarity with I am and with areas such as IGA, so Identity Governance and Administration, what consists of user lifecycle management, identity provisioning and access governance. And there we have also this notion of joiner, mover, leaver. And sometimes we even find integration to privileged access management and that integration to privileged access management then is also about saying, okay, I have a privileged account, a technical, so a non-human account, a silicon account, so to speak, that needs an ownership. And there is an ownership, and if for instance me, Martin, I am the owner of a few accounts of a certain system, I change my job role in the organization or I leave the organization. That means that someone else needs to become the owner of these silicon accounts. Ownership needs to change, and the change of role or leave is managed by IGA, through the joiner, mover, leaver process. And so if you do it right, we can also handle the ownership, which is very important from a governance perspective. And here the challenge arises. We sometimes do that for privileged access management for certain types of accounts. We rarely do this in an integration, for instance, with our IT asset management systems, when it's about system ownership, application ownership. We even more rarely do that for data. So who is the data owner? Yes, we have quite a lot of solutions out there that handle in some way data ownership, data stewardship and stuff like that. But changes must be reflected and we rarely have processes in place, let's say, there is a change that may be reflected in HR at the beginning and that ensures what ends up in that data governance solution. For instance, it transfers the ownership, when a job role changes. We don't have it for software security and we have governance challenges in that area.
Great. And so when you say you close that gap, so that means integrating two solutions that are usually not yet well connected, but at the end you are extending the access management, the access control, the governance, the visibility, the compliance requirements and fulfilling them, towards data governance by integrating that with IGA, so it's really more automation, it's more streamlining, it's getting better in the overall security management, including data.
I wouldn't go over the top in the sense of extending the governance because there are so many facets of governance and certain parts of the data governance. What I'm looking at is this chain of custody, or what the IT people frequently say, “the ownership”. We need to be very careful with the term of data ownership because, when we look at it from a legal perspective, because the concept of data ownership is a bit more complex. So maybe the chain of custody is better. So who is in charge of certain data? I think what we need to really solve as a challenge, is if people’s jobs are changing, so job role changes, or the leaving the organization, then this needs to be reflected not only in access entitlements, it needs to be reflected everywhere. This is an integration issue, yes. It is something where the IGA solution or whichever solution handles that mover process, that leaver process because it could be triggered from an IT service management solution, that this also triggers the appropriate changes in a wide range of other systems such as data governance solutions, such as [...] where it's about code ownership, who is the person in charge of the code. And this is what we need to do. That requires then in fact, at the end it will be API based integration., it will be some sort of connectors. And that is something we need to get and we need to implement it. And aside of the technical integration, that also means we need to think of... first, we need to understand the challenge, we need to work on the processes, and that is also a lot of cross divisional work because there are different parties or silos involved and then we will have better control, better processes, less mistakes, less risk, data code. At the end, all that stuff is about risk. It's about technology risk in our organizations, and that is what we need to fix.
Absolutely. And since I think that we with this podcast are also talking to security pros, to identity pros, to governance pros, I think the message is clear when we talk about this as a prediction, as a trend, call it whatever the idea is to plant this thought into the mindset of those who make decisions for the next two years, who watch this space, who watch our website at kuppingercole.com or who visit us at EIC can learn more about these integration topics. And one of this would be actually the integration of IGA, IAM with data governance, with proper processes, with proper technical integration. But in the end for increasing automation, reducing risk and ideally getting better when it comes to governance and risk management.
And it’s also a bit of a call for action. A call for action for organizations to thoroughly think about this challenge and more holistically think about a challenge, but also a call for action to the providers of solutions on both the IAM / IGA and the data and the software development, and to work on these integrations. That is not rocket science, at the end of the day. I'm quite confident that a lot of this can be done by using just standard REST based APIs. Absolutely. But it needs to be done.
Absolutely. So we conclude this with this trend, with this prediction. And we really want to make sure and want to watch the space also for ourselves, as the saying goes, predictions are difficult, especially when they concern the future. But I think this is really a straightforward thing to do. And we will continue this discussion. We will talk about future trends with you, with other of our analyst colleagues over the year, and feel free to leave comments around these topics in the comment section below this video on YouTube or reach out to us via email and talk to us maybe at EIC, how you have implemented that or how you are approaching that topic. Thank you, Martin, for talking about this interesting aspect that has not yet been well covered and looking forward to having you soon for another prediction, or trend, or outlook on the next 1 to 3 years. Thanks, Martin.
Thank you.
